unbound/testdata/edns_downstream_cookies.rpl
George Thessalonikefs 49e4258102 - For #762: Interaction between DNS Cookies and source IP ratelimiting
by allowing Cookies to bypass the ratelimit, but still allowing
  ratelimit to valid DNS Cookie clients via the new
  ip-ratelimit-cookie option.
2023-08-08 10:14:03 +02:00

236 lines
4.8 KiB
Plaintext

; config options
server:
answer-cookie: yes
cookie-secret: "000102030405060708090a0b0c0d0e0f"
access-control: 127.0.0.1 allow_cookie
access-control: 1.2.3.4 allow
local-data: "test. TXT test"
CONFIG_END
SCENARIO_BEGIN Test downstream DNS Cookies
; Note: When a valid hash was required, it was generated by running this test
; with an invalid one and checking the output for the valid one.
; Actual hash generation is tested with unit tests.
; Query without a client cookie ...
STEP 0 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
ENTRY_END
; ... get TC and refused
STEP 1 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA TC REFUSED
SECTION QUESTION
test. IN TXT
ENTRY_END
; Query without a client cookie on TCP ...
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
MATCH TCP
SECTION QUESTION
test. IN TXT
ENTRY_END
; ... get an answer
STEP 11 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AA NOERROR
SECTION QUESTION
test. IN TXT
SECTION ANSWER
test. IN TXT "test"
ENTRY_END
; Query with only a client cookie ...
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 0a ; Opcode 10
00 08 ; Length 8
31 32 33 34 35 36 37 38 ; Random bits
HEX_EDNSDATA_END
ENTRY_END
; ... get BADCOOKIE and a new cookie
STEP 21 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
SECTION QUESTION
test. IN TXT
ENTRY_END
; Query with an invalid cookie ...
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 0a ; Opcode 10
00 18 ; Length 24
31 32 33 34 35 36 37 38 ; Random bits
02 00 00 00 ; wrong version
00 00 00 00 ; Timestamp
31 32 33 34 35 36 37 38 ; wrong hash
HEX_EDNSDATA_END
ENTRY_END
; ... get BADCOOKIE and a new cookie
STEP 31 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
SECTION QUESTION
test. IN TXT
ENTRY_END
; Query with an invalid cookie from a non-cookie protected address ...
STEP 40 QUERY ADDRESS 1.2.3.4
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 0a ; Opcode 10
00 18 ; Length 24
31 32 33 34 35 36 37 38 ; Random bits
02 00 00 00 ; wrong version
00 00 00 00 ; Timestamp
31 32 33 34 35 36 37 38 ; wrong hash
HEX_EDNSDATA_END
ENTRY_END
; ... get answer and a cookie
STEP 41 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA AA DO NOERROR
SECTION QUESTION
test. IN TXT
SECTION ANSWER
test. IN TXT "test"
ENTRY_END
; Query with a valid cookie ...
STEP 50 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 0a ; Opcode 10
00 18 ; Length 24
31 32 33 34 35 36 37 38 ; Random bits
01 00 00 00 ; Version/Reserved
00 00 00 00 ; Timestamp
38 52 7b a8 c6 a4 ea 96 ; Hash
HEX_EDNSDATA_END
ENTRY_END
; ... get answer and the cookie
STEP 51 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA AA DO NOERROR
SECTION QUESTION
test. IN TXT
SECTION ANSWER
test. IN TXT "test"
ENTRY_END
; Query with a valid >30 minutes old cookie ...
STEP 59 TIME_PASSES ELAPSE 1801
STEP 60 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 0a ; Opcode 10
00 18 ; Length 24
31 32 33 34 35 36 37 38 ; Random bits
01 00 00 00 ; Version/Reserved
00 00 00 00 ; Timestamp
38 52 7b a8 c6 a4 ea 96 ; Hash
HEX_EDNSDATA_END
ENTRY_END
; ... Get answer and a refreshed cookie
; (we don't check the re-freshness here; it has its own unit test)
STEP 61 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA AA DO NOERROR
SECTION QUESTION
test. IN TXT
SECTION ANSWER
test. IN TXT "test"
ENTRY_END
; Query with a hash-valid >60 minutes old cookie ...
STEP 69 TIME_PASSES ELAPSE 3601
STEP 70 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 0a ; Opcode 10
00 18 ; Length 24
31 32 33 34 35 36 37 38 ; Random bits
01 00 00 00 ; Version/Reserved
00 00 07 09 ; Timestamp (1801)
77 81 38 e3 8f aa 72 86 ; Hash
HEX_EDNSDATA_END
ENTRY_END
; ... get BADCOOKIE and a new cookie
STEP 71 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
SECTION QUESTION
test. IN TXT
ENTRY_END
; Query with a valid future (<5 minutes) cookie ...
STEP 80 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 0a ; Opcode 10
00 18 ; Length 24
31 32 33 34 35 36 37 38 ; Random bits
01 00 00 00 ; Version/Reserved
00 00 16 45 ; Timestamp (1801 + 3601 + 299)
4a f5 0f df f0 e8 c7 09 ; Hash
HEX_EDNSDATA_END
ENTRY_END
; ... get an answer
STEP 81 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA AA DO NOERROR
SECTION QUESTION
test. IN TXT
SECTION ANSWER
test. IN TXT "test"
ENTRY_END
SCENARIO_END