Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rec: Generate EDE in more cases, specifically on unreachable auths or sythesized results.#12334

Merged
merged 5 commits into from Jan 3, 2023
Merged

rec: Generate EDE in more cases, specifically on unreachable auths or sythesized results. #12334

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3e5667f
Generate EDE in more cases, specifically on unreachable auths or synt…
omoerbeek Dec 14, 2022
5eb762a
Reformat
omoerbeek Dec 16, 2022
718c531
Introduce a context object holding vState and extendedErrors
omoerbeek Dec 16, 2022
811bddf
A few tests on the new EDEs
omoerbeek Dec 20, 2022
79cc1d6
Make a distinction between "ordinary" negcache results and entire nam…
omoerbeek Jan 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
A few tests on the new EDEs
  • Loading branch information
@omoerbeek
omoerbeek committed Dec 20, 2022
commit 811bddf90045f3ec9d90f08cb7fd4a96bdbe789f
45 changes: 45 additions & 0 deletions regression-tests.recursor-dnssec/test_AggressiveNSECCache.py
View file
Open in desktop
Expand Up @@ -4,6 +4,7 @@
import requests
import subprocess
import time
import extendederrors

class AggressiveNSECCacheBase(RecursorTest):
__test__ = False
Expand All @@ -21,6 +22,7 @@ class AggressiveNSECCacheBase(RecursorTest):
webserver-password=%s
api-key=%s
devonly-regression-test-mode
extended-resolution-errors=yes
""" % (_wsPort, _wsPassword, _apiKey)

@classmethod
Expand Down Expand Up @@ -67,6 +69,10 @@ def testNoData(self):
self.assertMessageIsAuthenticated(res)
self.assertEqual(nbQueries, self.getMetric('all-outqueries'))
self.assertEqual(self.getMetric('aggressive-nsec-cache-entries'), entries)
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(0, b'Result synthesized from aggressive NSEC cache (RFC8198)'))

class AggressiveNSECCacheNSEC(AggressiveNSECCacheBase):
_confdir = 'AggressiveNSECCacheNSEC'
Expand Down Expand Up @@ -101,6 +107,10 @@ def testNXD(self):
self.assertEqual(nbQueries, self.getMetric('all-outqueries'))
self.assertEqual(self.getMetric('aggressive-nsec-cache-entries'), entries)
self.assertGreater(self.getMetric('aggressive-nsec-cache-nsec-hits'), hits)
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(0, b'Result synthesized from aggressive NSEC cache (RFC8198)'))

def testWildcard(self):
self.wipe()
Expand All @@ -124,6 +134,10 @@ def testWildcard(self):
self.assertMessageIsAuthenticated(res)
self.assertEqual(nbQueries, self.getMetric('all-outqueries'))
self.assertGreater(self.getMetric('aggressive-nsec-cache-nsec-wc-hits'), hits)
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(0, b'Result synthesized from aggressive NSEC cache (RFC8198)'))

# now we ask for a type that does not exist at the wildcard
hits = self.getMetric('aggressive-nsec-cache-nsec-hits')
Expand All @@ -135,6 +149,10 @@ def testWildcard(self):
self.assertMessageIsAuthenticated(res)
self.assertEqual(nbQueries, self.getMetric('all-outqueries'))
self.assertGreater(self.getMetric('aggressive-nsec-cache-nsec-hits'), hits)
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(0, b'Result synthesized from aggressive NSEC cache (RFC8198)'))

# we can also ask a different type, for a different name that is covered
# by the NSEC and matches the wildcard (but the type does not exist)
Expand All @@ -147,6 +165,10 @@ def testWildcard(self):
self.assertMessageIsAuthenticated(res)
self.assertEqual(nbQueries, self.getMetric('all-outqueries'))
self.assertGreater(self.getMetric('aggressive-nsec-cache-nsec-hits'), hits)
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(0, b'Result synthesized from aggressive NSEC cache (RFC8198)'))

def test_Bogus(self):
self.wipe()
Expand Down Expand Up @@ -184,6 +206,11 @@ def test_Bogus(self):

# Check that we stil have one aggressive cache entry
self.assertEqual(1, self.getMetric('aggressive-nsec-cache-entries'))
print(res.options)
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(9, b''))

class AggressiveNSECCacheNSEC3(AggressiveNSECCacheBase):
_confdir = 'AggressiveNSECCacheNSEC3'
Expand Down Expand Up @@ -252,6 +279,10 @@ def testNXD(self):
self.assertAuthorityHasSOA(res)
self.assertMessageIsAuthenticated(res)
self.assertEqual(nbQueries, self.getMetric('all-outqueries'))
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(0, b'Result synthesized from aggressive NSEC cache (RFC8198)'))

def testWildcard(self):
self.wipe()
Expand Down Expand Up @@ -281,6 +312,10 @@ def testWildcard(self):
self.assertMatchingRRSIGInAnswer(res, expected)
self.assertMessageIsAuthenticated(res)
self.assertEqual(nbQueries, self.getMetric('all-outqueries'))
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(0, b'Result synthesized from aggressive NSEC cache (RFC8198)'))

# now we ask for a type that does not exist at the wildcard
nbQueries = self.getMetric('all-outqueries')
Expand All @@ -290,6 +325,10 @@ def testWildcard(self):
self.assertAuthorityHasSOA(res)
self.assertMessageIsAuthenticated(res)
self.assertEqual(nbQueries, self.getMetric('all-outqueries'))
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(0, b'Result synthesized from aggressive NSEC cache (RFC8198)'))

# we can also ask a different type, for a different name that is covered
# by the NSEC3s and matches the wildcard (but the type does not exist)
Expand All @@ -300,6 +339,10 @@ def testWildcard(self):
self.assertAuthorityHasSOA(res)
self.assertMessageIsAuthenticated(res)
self.assertEqual(nbQueries, self.getMetric('all-outqueries'))
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(0, b'Result synthesized from aggressive NSEC cache (RFC8198)'))

def test_OptOut(self):
self.wipe()
Expand All @@ -317,3 +360,5 @@ def test_OptOut(self):
self.assertAnswerEmpty(res)
self.assertAuthorityHasSOA(res)
self.assertGreater(self.getMetric('all-outqueries'), nbQueries)
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 0)
14 changes: 12 additions & 2 deletions regression-tests.recursor-dnssec/test_RootNXTrust.py
View file
Open in desktop
Expand Up @@ -2,6 +2,8 @@
import requests
import socket
import time
import extendederrors

from recursortests import RecursorTest

class RootNXTrustRecursorTest(RecursorTest):
Expand Down Expand Up @@ -47,6 +49,7 @@ class testRootNXTrustDisabled(RootNXTrustRecursorTest):
webserver-password=%s
api-key=%s
devonly-regression-test-mode
extended-resolution-errors
""" % (_wsPort, _wsPassword, _apiKey)

def testRootNXTrust(self):
Expand All @@ -72,14 +75,16 @@ def testRootNXTrust(self):

# then query nx2.example.
before = after
query = dns.message.make_query('www2.nx-example.', 'A')
query = dns.message.make_query('www2.nx-example.', 'A', use_edns=True)
res = self.sendUDPQuery(query)

self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
self.assertAuthorityHasSOA(res)

after = self.getOutgoingQueriesCount()
self.assertEqual(after, before + 1)
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 0)

class testRootNXTrustEnabled(RootNXTrustRecursorTest):
_confdir = 'RootNXTrustEnabled'
Expand All @@ -96,6 +101,7 @@ class testRootNXTrustEnabled(RootNXTrustRecursorTest):
webserver-password=%s
api-key=%s
devonly-regression-test-mode
extended-resolution-errors
""" % (_wsPort, _wsPassword, _apiKey)

def testRootNXTrust(self):
Expand All @@ -121,11 +127,15 @@ def testRootNXTrust(self):

# then query nx2.example.
before = after
query = dns.message.make_query('www2.nx-example.', 'A')
query = dns.message.make_query('www2.nx-example.', 'A', use_edns=True)
res = self.sendUDPQuery(query)

self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
self.assertAuthorityHasSOA(res)

after = self.getOutgoingQueriesCount()
self.assertEqual(after, before)
self.assertEqual(res.edns, 0)
self.assertEqual(len(res.options), 1)
self.assertEqual(res.options[0].otype, 15)
self.assertEqual(res.options[0], extendederrors.ExtendedErrorOption(0, b'Result synthesized by root-nx-trust'))