/* * dnssecjava - a DNSSEC validating stub resolver for Java * Copyright (c) 2013-2015 Ingo Bauersachs * * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License v1.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-v10.html */ package org.jitsi.dnssec; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; import java.io.IOException; import org.junit.Test; import org.xbill.DNS.Flags; import org.xbill.DNS.Message; import org.xbill.DNS.RRset; import org.xbill.DNS.Rcode; public class TestNSEC3NoData extends TestBase { @Test @AlwaysOffline public void testNodataButHasCname() throws IOException { Message response = resolver.send(createMessage("www.nsec3.ingotronic.ch./MX")); assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD)); assertEquals(Rcode.SERVFAIL, response.getRcode()); assertTrue(getReason(response).startsWith("failed.nodata")); } @Test @AlwaysOffline public void testNodataApexNsec3Abused() throws IOException { // get NSEC3 hashed whose name is sub.nsec3.ingotronic.ch. from the nsec3.ingotronic.ch. // then return NODATA for the following query, "proofed" by the NSEC3 from the parent Message response = resolver.send(createMessage("sub.nsec3.ingotronic.ch./A")); assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD)); assertEquals(Rcode.SERVFAIL, response.getRcode()); assertTrue(getReason(response).startsWith("failed.nodata")); } @Test @AlwaysOffline public void testNodataApexNsec3ProofInsecureDelegation() throws IOException { // get NSEC3 hashed whose name is sub.nsec3.ingotronic.ch. from the nsec3.ingotronic.ch. zone // then return NODATA for the following query, "proofed" by the NSEC3 from the parent // which has the DS flag removed, effectively making the reply insecure Message response = resolver.send(createMessage("sub.nsec3.ingotronic.ch./A")); assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD)); assertEquals(Rcode.NOERROR, response.getRcode()); assertNull(getReason(response)); } @Test @AlwaysOffline public void testNodataApexNsec3WithSOAValid() throws IOException { // get NSEC3 hashed whose name is sub.nsec3.ingotronic.ch. from the nsec3.ingotronic.ch. // then return NODATA for the following query, "proofed" by the NSEC3 from the parent Message response = resolver.send(createMessage("sub.nsec3.ingotronic.ch./A")); assertTrue("AD flag must be set", response.getHeader().getFlag(Flags.AD)); assertEquals(Rcode.NOERROR, response.getRcode()); assertNull(getReason(response)); } @Test @AlwaysOffline public void testNodataApexNsec3AbusedForNoDS() throws IOException { // get NSEC3 hashed whose name is sub.nsec3.ingotronic.ch. from the sub.nsec3.ingotronic.ch. // then return NODATA for the following query, "proofed" by the NSEC3 from the child Message response = resolver.send(createMessage("sub.nsec3.ingotronic.ch./DS")); assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD)); assertEquals(Rcode.SERVFAIL, response.getRcode()); assertTrue(getReason(response).startsWith("failed.nodata")); } @Test @AlwaysOffline public void testNoDSProofCanExistForRoot() throws IOException { // ./DS can exist resolver.getTrustAnchors().clear(); resolver.getTrustAnchors().store(new SRRset(new RRset(toRecord(". 300 IN DS 16758 7 1 EC88DF5E2902FD4AB9E9C246BEEA9B822BD7BCF7")))); Message response = resolver.send(createMessage("./DS")); assertTrue("AD flag must be set", response.getHeader().getFlag(Flags.AD)); assertEquals(Rcode.NOERROR, response.getRcode()); assertNull(getReason(response)); } @Test @AlwaysOffline public void testNodataNsec3ForDSMustNotHaveSOA() throws IOException { // bogus./DS cannot coexist with bogus./SOA resolver.getTrustAnchors().clear(); resolver.getTrustAnchors().store(new SRRset(new RRset(toRecord("bogus. 300 IN DS 16758 7 1 A5D56841416AB42DC39629E42D12C98B0E94232A")))); Message response = resolver.send(createMessage("bogus./DS")); assertTrue("AD flag must be set", response.getHeader().getFlag(Flags.AD)); assertEquals(Rcode.NOERROR, response.getRcode()); assertNull(getReason(response)); } @Test @AlwaysOffline public void testNsec3ClosestEncloserIsInsecureDelegation() throws IOException { Message response = resolver.send(createMessage("a.unsigned.nsec3.ingotronic.ch./A")); assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD)); assertEquals(Rcode.NOERROR, response.getRcode()); assertNull(getReason(response)); } @Test @AlwaysOffline public void testNsec3ClosestEncloserIsInsecureDelegationDS() throws IOException { //rfc5155#section-7.2.4 //response does not contain next closer NSEC3, thus bogus Message response = resolver.send(createMessage("a.unsigned.nsec3.ingotronic.ch./DS")); assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD)); assertEquals(Rcode.SERVFAIL, response.getRcode()); assertTrue(getReason(response).startsWith("failed.nodata")); } }