|
|
@@ -704,9 +704,8 @@ MockZoneFinder::find(const Name& name, const RRType& type,
|
|
|
ConstRRsetPtr rrset;
|
|
|
// Strip whatever signature there is in case DNSSEC is not required
|
|
|
// Just to make sure the Query asks for it when it is needed
|
|
|
- if ((options & ZoneFinder::FIND_DNSSEC) != 0 ||
|
|
|
- include_rrsig_anyway_ ||
|
|
|
- !found_rrset->second->getRRsig()) {
|
|
|
+ if ((options & ZoneFinder::FIND_DNSSEC) != 0 &&
|
|
|
+ found_rrset->second->getRRsig()) {
|
|
|
rrset = found_rrset->second;
|
|
|
} else {
|
|
|
RRsetPtr noconst(new RRset(found_rrset->second->getName(),
|
|
|
@@ -1026,7 +1025,8 @@ TEST_F(QueryTest, exactMatchIgnoreSIG) {
|
|
|
|
|
|
TEST_F(QueryTest, dnssecPositive) {
|
|
|
// Just like exactMatch, but the signatures should be included as well
|
|
|
- EXPECT_NO_THROW(query.process(list, qname, qtype, response));
|
|
|
+ EXPECT_NO_THROW(query.process(list, qname, qtype, response,
|
|
|
+ true));
|
|
|
// find match rrset
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 2, 4, 6,
|
|
|
(www_a_txt + std::string("www.example.com. 3600 IN RRSIG "
|
|
|
@@ -1138,7 +1138,7 @@ TEST_F(QueryTest, delegationWithDNSSEC) {
|
|
|
// In this case the parent zone would behave as unsigned, so the result
|
|
|
// should be just like non DNSSEC delegation.
|
|
|
query.process(list, Name("www.nosec-delegation.example.com"),
|
|
|
- qtype, response);
|
|
|
+ qtype, response, true);
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), 0, 0, 1, 0,
|
|
|
NULL, nosec_delegation_txt, NULL);
|
|
|
@@ -1147,7 +1147,7 @@ TEST_F(QueryTest, delegationWithDNSSEC) {
|
|
|
TEST_F(QueryTest, secureDelegation) {
|
|
|
EXPECT_NO_THROW(query.process(list,
|
|
|
Name("foo.signed-delegation.example.com"),
|
|
|
- qtype, response));
|
|
|
+ qtype, response, true));
|
|
|
|
|
|
// Should now contain RRSIG and DS record as well.
|
|
|
responseCheck(response, Rcode::NOERROR(), 0, 0, 3, 0,
|
|
|
@@ -1162,7 +1162,7 @@ TEST_F(QueryTest, secureDelegation) {
|
|
|
TEST_F(QueryTest, secureUnsignedDelegation) {
|
|
|
EXPECT_NO_THROW(query.process(list,
|
|
|
Name("foo.unsigned-delegation.example.com"),
|
|
|
- qtype, response));
|
|
|
+ qtype, response, true));
|
|
|
|
|
|
// Should now contain RRSIG and NSEC record as well.
|
|
|
responseCheck(response, Rcode::NOERROR(), 0, 0, 3, 0,
|
|
|
@@ -1183,7 +1183,7 @@ TEST_F(QueryTest, secureUnsignedDelegationWithNSEC3) {
|
|
|
|
|
|
query.process(list,
|
|
|
Name("foo.unsigned-delegation.example.com"),
|
|
|
- qtype, response);
|
|
|
+ qtype, response, true);
|
|
|
|
|
|
// The response should contain the NS and matching NSEC3 with its RRSIG
|
|
|
responseCheck(response, Rcode::NOERROR(), 0, 0, 3, 0,
|
|
|
@@ -1202,7 +1202,7 @@ TEST_F(QueryTest, secureUnsignedDelegationWithNSEC3OptOut) {
|
|
|
|
|
|
query.process(list,
|
|
|
Name("foo.unsigned-delegation.example.com"),
|
|
|
- qtype, response);
|
|
|
+ qtype, response, true);
|
|
|
|
|
|
// The response should contain the NS and the closest provable encloser
|
|
|
// proof (and their RRSIGs). The closest encloser is the apex (origin),
|
|
|
@@ -1227,7 +1227,7 @@ TEST_F(QueryTest, badSecureDelegation) {
|
|
|
// something different than SUCCESS or NXRRSET
|
|
|
EXPECT_THROW(query.process(list,
|
|
|
Name("bad-delegation.example.com"),
|
|
|
- qtype, response), Query::BadDS);
|
|
|
+ qtype, response, true), Query::BadDS);
|
|
|
|
|
|
// But only if DNSSEC is requested (it shouldn't even try to look for
|
|
|
// the DS otherwise)
|
|
|
@@ -1251,7 +1251,7 @@ TEST_F(QueryTest, nxdomainWithNSEC) {
|
|
|
// as well as their RRSIGs.
|
|
|
EXPECT_NO_THROW(query.process(list,
|
|
|
Name("nxdomain.example.com"), qtype,
|
|
|
- response));
|
|
|
+ response, true));
|
|
|
responseCheck(response, Rcode::NXDOMAIN(), AA_FLAG, 0, 6, 0,
|
|
|
NULL, (string(soa_txt) +
|
|
|
string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1270,7 +1270,8 @@ TEST_F(QueryTest, nxdomainWithNSEC2) {
|
|
|
// is derived from the next domain of the NSEC that proves NXDOMAIN, and
|
|
|
// the NSEC to provide the non existence of wildcard is different from
|
|
|
// the first NSEC.
|
|
|
- query.process(list, Name("(.no.example.com"), qtype, response);
|
|
|
+ query.process(list, Name("(.no.example.com"), qtype, response,
|
|
|
+ true);
|
|
|
responseCheck(response, Rcode::NXDOMAIN(), AA_FLAG, 0, 6, 0,
|
|
|
NULL, (string(soa_txt) +
|
|
|
string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1287,7 +1288,8 @@ TEST_F(QueryTest, nxdomainWithNSEC2) {
|
|
|
TEST_F(QueryTest, nxdomainWithNSECDuplicate) {
|
|
|
// See comments about nz_txt. In this case we only need one NSEC,
|
|
|
// which proves both NXDOMAIN and the non existence of wildcard.
|
|
|
- query.process(list, Name("nx.no.example.com"), qtype, response);
|
|
|
+ query.process(list, Name("nx.no.example.com"), qtype, response,
|
|
|
+ true);
|
|
|
responseCheck(response, Rcode::NXDOMAIN(), AA_FLAG, 0, 4, 0,
|
|
|
NULL, (string(soa_txt) +
|
|
|
string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1304,7 +1306,7 @@ TEST_F(QueryTest, nxdomainBadNSEC1) {
|
|
|
ZoneFinder::NXDOMAIN,
|
|
|
mock_finder->dname_rrset_);
|
|
|
EXPECT_THROW(query.process(list, Name("badnsec.example.com"),
|
|
|
- qtype, response),
|
|
|
+ qtype, response, true),
|
|
|
std::bad_cast);
|
|
|
}
|
|
|
|
|
|
@@ -1314,7 +1316,7 @@ TEST_F(QueryTest, nxdomainBadNSEC2) {
|
|
|
ZoneFinder::NXDOMAIN,
|
|
|
mock_finder->empty_nsec_rrset_);
|
|
|
EXPECT_THROW(query.process(list, Name("emptynsec.example.com"),
|
|
|
- qtype, response),
|
|
|
+ qtype, response, true),
|
|
|
Query::BadNSEC);
|
|
|
}
|
|
|
|
|
|
@@ -1324,7 +1326,7 @@ TEST_F(QueryTest, nxdomainBadNSEC3) {
|
|
|
ZoneFinder::SUCCESS,
|
|
|
mock_finder->dname_rrset_);
|
|
|
EXPECT_THROW(query.process(list, Name("nxdomain.example.com"),
|
|
|
- qtype, response),
|
|
|
+ qtype, response, true),
|
|
|
Query::BadNSEC);
|
|
|
}
|
|
|
|
|
|
@@ -1333,7 +1335,7 @@ TEST_F(QueryTest, nxdomainBadNSEC4) {
|
|
|
mock_finder->setNSECResult(Name("*.example.com"),
|
|
|
ZoneFinder::NXDOMAIN, ConstRRsetPtr());
|
|
|
EXPECT_THROW(query.process(list, Name("nxdomain.example.com"),
|
|
|
- qtype, response),
|
|
|
+ qtype, response, true),
|
|
|
Query::BadNSEC);
|
|
|
}
|
|
|
|
|
|
@@ -1343,7 +1345,8 @@ TEST_F(QueryTest, nxdomainBadNSEC5) {
|
|
|
ZoneFinder::NXDOMAIN,
|
|
|
mock_finder->dname_rrset_);
|
|
|
// This is a bit odd, but we'll simply include the returned RRset.
|
|
|
- query.process(list, Name("nxdomain.example.com"), qtype, response);
|
|
|
+ query.process(list, Name("nxdomain.example.com"), qtype,
|
|
|
+ response, true);
|
|
|
responseCheck(response, Rcode::NXDOMAIN(), AA_FLAG, 0, 6, 0,
|
|
|
NULL, (string(soa_txt) +
|
|
|
string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1363,7 +1366,7 @@ TEST_F(QueryTest, nxdomainBadNSEC6) {
|
|
|
ZoneFinder::NXDOMAIN,
|
|
|
mock_finder->empty_nsec_rrset_);
|
|
|
EXPECT_THROW(query.process(list, Name("nxdomain.example.com"),
|
|
|
- qtype, response),
|
|
|
+ qtype, response, true),
|
|
|
Query::BadNSEC);
|
|
|
}
|
|
|
|
|
|
@@ -1378,7 +1381,8 @@ TEST_F(QueryTest, nxrrset) {
|
|
|
TEST_F(QueryTest, nxrrsetWithNSEC) {
|
|
|
// NXRRSET with DNSSEC proof. We should have SOA, NSEC that proves the
|
|
|
// NXRRSET and their RRSIGs.
|
|
|
- query.process(list, Name("www.example.com"), RRType::TXT(), response);
|
|
|
+ query.process(list, Name("www.example.com"), RRType::TXT(),
|
|
|
+ response, true);
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1398,7 +1402,8 @@ TEST_F(QueryTest, emptyNameWithNSEC) {
|
|
|
// exact match), so we only need one NSEC.
|
|
|
// From the point of the Query::process(), this is actually no different
|
|
|
// from the other NXRRSET case, but we check that explicitly just in case.
|
|
|
- query.process(list, Name("no.example.com"), RRType::A(), response);
|
|
|
+ query.process(list, Name("no.example.com"), RRType::A(),
|
|
|
+ response, true);
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1413,7 +1418,8 @@ TEST_F(QueryTest, nxrrsetWithoutNSEC) {
|
|
|
// NXRRSET with DNSSEC proof requested, but there's no NSEC at that node.
|
|
|
// This is an unexpected event (if the zone is supposed to be properly
|
|
|
// signed with NSECs), but we accept and ignore the oddity.
|
|
|
- query.process(list, Name("nonsec.example.com"), RRType::TXT(), response);
|
|
|
+ query.process(list, Name("nonsec.example.com"), RRType::TXT(),
|
|
|
+ response, true);
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 2, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1424,7 +1430,8 @@ TEST_F(QueryTest, nxrrsetWithoutNSEC) {
|
|
|
TEST_F(QueryTest, wildcardNSEC) {
|
|
|
// The qname matches *.wild.example.com. The response should contain
|
|
|
// an NSEC that proves the non existence of a closer name.
|
|
|
- query.process(list, Name("www.wild.example.com"), RRType::A(), response);
|
|
|
+ query.process(list, Name("www.wild.example.com"), RRType::A(),
|
|
|
+ response, true);
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 2, 6, 6,
|
|
|
(string(wild_txt).replace(0, 1, "www") +
|
|
|
string("www.wild.example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1444,7 +1451,7 @@ TEST_F(QueryTest, CNAMEwildNSEC) {
|
|
|
// Similar to the previous case, but the matching wildcard record is
|
|
|
// CNAME.
|
|
|
query.process(list, Name("www.cnamewild.example.com"),
|
|
|
- RRType::A(), response);
|
|
|
+ RRType::A(), response, true);
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 2, 2, 0,
|
|
|
(string(cnamewild_txt).replace(0, 1, "www") +
|
|
|
string("www.cnamewild.example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1466,7 +1473,8 @@ TEST_F(QueryTest, wildcardNSEC3) {
|
|
|
// of identifying the next closer name.
|
|
|
mock_finder->addRecord(nsec3_atwild_txt);
|
|
|
|
|
|
- query.process(list, Name("x.y.wild.example.com"), RRType::A(), response);
|
|
|
+ query.process(list, Name("x.y.wild.example.com"), RRType::A(),
|
|
|
+ response, true);
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 2, 6, 6,
|
|
|
(string(wild_txt).replace(0, 1, "x.y") +
|
|
|
string("x.y.wild.example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1491,7 +1499,7 @@ TEST_F(QueryTest, CNAMEwildNSEC3) {
|
|
|
mock_finder->addRecord(nsec3_atcnamewild_txt);
|
|
|
|
|
|
query.process(list, Name("www.cnamewild.example.com"),
|
|
|
- RRType::A(), response);
|
|
|
+ RRType::A(), response, true);
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 2, 2, 0,
|
|
|
(string(cnamewild_txt).replace(0, 1, "www") +
|
|
|
string("www.cnamewild.example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1514,7 +1522,7 @@ TEST_F(QueryTest, badWildcardNSEC3) {
|
|
|
mock_finder->setNSEC3Result(&nsec3);
|
|
|
|
|
|
EXPECT_THROW(query.process(list, Name("www.wild.example.com"),
|
|
|
- RRType::A(), response),
|
|
|
+ RRType::A(), response, true),
|
|
|
Query::BadNSEC3);
|
|
|
}
|
|
|
|
|
|
@@ -1525,7 +1533,7 @@ TEST_F(QueryTest, badWildcardProof1) {
|
|
|
ZoneFinder::SUCCESS,
|
|
|
mock_finder->dname_rrset_);
|
|
|
EXPECT_THROW(query.process(list, Name("www.wild.example.com"),
|
|
|
- RRType::A(), response),
|
|
|
+ RRType::A(), response, true),
|
|
|
Query::BadNSEC);
|
|
|
}
|
|
|
|
|
|
@@ -1534,7 +1542,7 @@ TEST_F(QueryTest, badWildcardProof2) {
|
|
|
mock_finder->setNSECResult(Name("www.wild.example.com"),
|
|
|
ZoneFinder::NXDOMAIN, ConstRRsetPtr());
|
|
|
EXPECT_THROW(query.process(list, Name("www.wild.example.com"),
|
|
|
- RRType::A(), response),
|
|
|
+ RRType::A(), response, true),
|
|
|
Query::BadNSEC);
|
|
|
}
|
|
|
|
|
|
@@ -1544,7 +1552,7 @@ TEST_F(QueryTest, badWildcardProof3) {
|
|
|
ZoneFinder::NXDOMAIN,
|
|
|
mock_finder->empty_nsec_rrset_);
|
|
|
EXPECT_THROW(query.process(list, Name("www.wild.example.com"),
|
|
|
- RRType::A(), response),
|
|
|
+ RRType::A(), response, true),
|
|
|
Query::BadNSEC);
|
|
|
}
|
|
|
|
|
|
@@ -1553,7 +1561,7 @@ TEST_F(QueryTest, wildcardNxrrsetWithDuplicateNSEC) {
|
|
|
// proves the NXRRSET and their RRSIGs. In this case we only need one NSEC,
|
|
|
// which proves both NXDOMAIN and the non existence RRSETs of wildcard.
|
|
|
query.process(list, Name("www.wild.example.com"), RRType::TXT(),
|
|
|
- response);
|
|
|
+ response, true);
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1570,7 +1578,7 @@ TEST_F(QueryTest, wildcardNxrrsetWithNSEC) {
|
|
|
// one proves NXDOMAIN and the other proves non existence RRSETs of
|
|
|
// wildcard.
|
|
|
query.process(list, Name("www1.uwild.example.com"),
|
|
|
- RRType::TXT(), response);
|
|
|
+ RRType::TXT(), response, true);
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -1593,7 +1601,7 @@ TEST_F(QueryTest, wildcardNxrrsetWithNSEC3) {
|
|
|
mock_finder->setNSEC3Flag(true);
|
|
|
|
|
|
query.process(list, Name("www1.uwild.example.com"),
|
|
|
- RRType::TXT(), response);
|
|
|
+ RRType::TXT(), response, true);
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 8, 0, NULL,
|
|
|
// SOA + its RRSIG
|
|
|
@@ -1627,7 +1635,7 @@ TEST_F(QueryTest, wildcardNxrrsetWithNSEC3Collision) {
|
|
|
mock_finder->setNSEC3Result(&nsec3);
|
|
|
|
|
|
EXPECT_THROW(query.process(list, Name("www1.uwild.example.com"),
|
|
|
- RRType::TXT(), response),
|
|
|
+ RRType::TXT(), response, true),
|
|
|
Query::BadNSEC3);
|
|
|
}
|
|
|
|
|
|
@@ -1644,7 +1652,7 @@ TEST_F(QueryTest, wildcardNxrrsetWithNSEC3Broken) {
|
|
|
mock_finder->addRecord(nsec3_uwild_txt);
|
|
|
|
|
|
EXPECT_THROW(query.process(list, Name("www1.uwild.example.com"),
|
|
|
- RRType::TXT(), response),
|
|
|
+ RRType::TXT(), response, true),
|
|
|
Query::BadNSEC3);
|
|
|
}
|
|
|
|
|
|
@@ -1652,7 +1660,8 @@ TEST_F(QueryTest, wildcardEmptyWithNSEC) {
|
|
|
// Empty WILDCARD with DNSSEC proof. We should have SOA, NSEC that proves
|
|
|
// the NXDOMAIN and their RRSIGs. In this case we need two NSEC RRs,
|
|
|
// one proves NXDOMAIN and the other proves non existence wildcard.
|
|
|
- query.process(list, Name("a.t.example.com"), RRType::A(), response);
|
|
|
+ query.process(list, Name("a.t.example.com"), RRType::A(),
|
|
|
+ response, true);
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -2103,7 +2112,7 @@ TEST_F(QueryTest, dsAboveDelegation) {
|
|
|
// zone, not the child one we added above.
|
|
|
EXPECT_NO_THROW(query.process(list,
|
|
|
Name("delegation.example.com"),
|
|
|
- RRType::DS(), response));
|
|
|
+ RRType::DS(), response, true));
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 2, 4, 6,
|
|
|
(string(delegation_ds_txt) + "\n" +
|
|
|
@@ -2127,7 +2136,7 @@ TEST_F(QueryTest, dsAboveDelegationNoData) {
|
|
|
// zone, not the child one we added above.
|
|
|
EXPECT_NO_THROW(query.process(list,
|
|
|
Name("unsigned-delegation.example.com"),
|
|
|
- RRType::DS(), response));
|
|
|
+ RRType::DS(), response, true));
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
|
|
|
(string(soa_txt) +
|
|
|
@@ -2144,7 +2153,7 @@ TEST_F(QueryTest, dsAboveDelegationNoData) {
|
|
|
// section 3.1.4.1. The example is inspired by the B.8. example from the RFC.
|
|
|
TEST_F(QueryTest, dsBelowDelegation) {
|
|
|
EXPECT_NO_THROW(query.process(list, Name("example.com"),
|
|
|
- RRType::DS(), response));
|
|
|
+ RRType::DS(), response, true));
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -2161,7 +2170,7 @@ TEST_F(QueryTest, dsBelowDelegation) {
|
|
|
TEST_F(QueryTest, dsBelowDelegationWithDS) {
|
|
|
mock_finder->addRecord(zone_ds_txt); // add the DS to the child's apex
|
|
|
EXPECT_NO_THROW(query.process(list, Name("example.com"),
|
|
|
- RRType::DS(), response));
|
|
|
+ RRType::DS(), response, true));
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 2, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -2173,7 +2182,8 @@ TEST_F(QueryTest, dsBelowDelegationWithDS) {
|
|
|
// server. It should just like the "noZone" test case, but DS query involves
|
|
|
// special processing, so we test it explicitly.
|
|
|
TEST_F(QueryTest, dsNoZone) {
|
|
|
- query.process(list, Name("example"), RRType::DS(), response);
|
|
|
+ query.process(list, Name("example"), RRType::DS(), response,
|
|
|
+ true);
|
|
|
responseCheck(response, Rcode::REFUSED(), 0, 0, 0, 0, NULL, NULL, NULL);
|
|
|
}
|
|
|
|
|
|
@@ -2181,7 +2191,7 @@ TEST_F(QueryTest, dsNoZone) {
|
|
|
// delegation (unless this server also has authority of the grandchild zone).
|
|
|
TEST_F(QueryTest, dsAtGrandParent) {
|
|
|
query.process(list, Name("grand.delegation.example.com"),
|
|
|
- RRType::DS(), response);
|
|
|
+ RRType::DS(), response, true);
|
|
|
responseCheck(response, Rcode::NOERROR(), 0, 0, 6, 6, NULL,
|
|
|
(string(delegation_txt) + string(delegation_ds_txt) +
|
|
|
"delegation.example.com. 3600 IN RRSIG " +
|
|
|
@@ -2199,7 +2209,7 @@ TEST_F(QueryTest, dsAtGrandParentAndChild) {
|
|
|
const Name childname("grand.delegation.example.com");
|
|
|
memory_client.addZone(ZoneFinderPtr(
|
|
|
new AlternateZoneFinder(childname)));
|
|
|
- query.process(list, childname, RRType::DS(), response);
|
|
|
+ query.process(list, childname, RRType::DS(), response, true);
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
|
|
|
(childname.toText() + " 3600 IN SOA . . 0 0 0 0 0\n" +
|
|
|
childname.toText() + " 3600 IN RRSIG " +
|
|
|
@@ -2217,7 +2227,8 @@ TEST_F(QueryTest, dsAtRoot) {
|
|
|
// Pretend to be a root server.
|
|
|
memory_client.addZone(ZoneFinderPtr(
|
|
|
new AlternateZoneFinder(Name::ROOT_NAME())));
|
|
|
- query.process(list, Name::ROOT_NAME(), RRType::DS(), response);
|
|
|
+ query.process(list, Name::ROOT_NAME(), RRType::DS(), response,
|
|
|
+ true);
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
|
|
|
(string(". 3600 IN SOA . . 0 0 0 0 0\n") +
|
|
|
". 3600 IN RRSIG " + getCommonRRSIGText("SOA") + "\n" +
|
|
|
@@ -2233,7 +2244,8 @@ TEST_F(QueryTest, dsAtRootWithDS) {
|
|
|
memory_client.addZone(ZoneFinderPtr(
|
|
|
new AlternateZoneFinder(Name::ROOT_NAME(),
|
|
|
true)));
|
|
|
- query.process(list, Name::ROOT_NAME(), RRType::DS(), response);
|
|
|
+ query.process(list, Name::ROOT_NAME(), RRType::DS(), response,
|
|
|
+ true);
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 2, 2, 0,
|
|
|
(string(". 3600 IN DS 57855 5 1 49FD46E6C4B45C55D4AC69CBD"
|
|
|
"3CD34AC1AFE51DE\n") +
|
|
|
@@ -2249,7 +2261,8 @@ TEST_F(QueryTest, nxrrsetWithNSEC3) {
|
|
|
|
|
|
// NXRRSET with DNSSEC proof. We should have SOA, NSEC3 that proves the
|
|
|
// NXRRSET and their RRSIGs.
|
|
|
- query.process(list, Name("www.example.com"), RRType::TXT(), response);
|
|
|
+ query.process(list, Name("www.example.com"), RRType::TXT(),
|
|
|
+ response, true);
|
|
|
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
@@ -2272,7 +2285,7 @@ TEST_F(QueryTest, nxrrsetMissingNSEC3) {
|
|
|
mock_finder->setNSEC3Result(&nsec3);
|
|
|
|
|
|
EXPECT_THROW(query.process(list, Name("www.example.com"),
|
|
|
- RRType::TXT(), response),
|
|
|
+ RRType::TXT(), response, true),
|
|
|
Query::BadNSEC3);
|
|
|
}
|
|
|
|
|
|
@@ -2283,7 +2296,7 @@ TEST_F(QueryTest, nxrrsetWithNSEC3_ds_exact) {
|
|
|
// This delegation has no DS, but does have a matching NSEC3 record
|
|
|
// (See RFC5155 section 7.2.4)
|
|
|
query.process(list, Name("unsigned-delegation.example.com."),
|
|
|
- RRType::DS(), response);
|
|
|
+ RRType::DS(), response, true);
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
getCommonRRSIGText("SOA") + "\n" +
|
|
|
@@ -2305,7 +2318,7 @@ TEST_F(QueryTest, nxrrsetWithNSEC3_ds_no_exact) {
|
|
|
// actually checked)
|
|
|
// (See RFC5155 section 7.2.4)
|
|
|
query.process(list, Name("unsigned-delegation-optout.example.com."),
|
|
|
- RRType::DS(), response);
|
|
|
+ RRType::DS(), response, true);
|
|
|
responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 6, 0, NULL,
|
|
|
(string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
|
|
|
getCommonRRSIGText("SOA") + "\n" +
|
|
|
@@ -2331,7 +2344,8 @@ TEST_F(QueryTest, nxdomainWithNSEC3Proof) {
|
|
|
// This will be the covering NSEC3 for the possible wildcard
|
|
|
mock_finder->addRecord(unsigned_delegation_nsec3_txt);
|
|
|
|
|
|
- query.process(list, Name("nxdomain.example.com"), qtype, response);
|
|
|
+ query.process(list, Name("nxdomain.example.com"), qtype,
|
|
|
+ response, true);
|
|
|
responseCheck(response, Rcode::NXDOMAIN(), AA_FLAG, 0, 8, 0, NULL,
|
|
|
// SOA + its RRSIG
|
|
|
(string(soa_txt) +
|
|
|
@@ -2366,7 +2380,7 @@ TEST_F(QueryTest, nxdomainWithBadNextNSEC3Proof) {
|
|
|
mock_finder->setNSEC3Result(&nsec3);
|
|
|
|
|
|
EXPECT_THROW(query.process(list, Name("nxdomain.example.com"),
|
|
|
- RRType::TXT(), response),
|
|
|
+ RRType::TXT(), response, true),
|
|
|
Query::BadNSEC3);
|
|
|
}
|
|
|
|
|
|
@@ -2385,7 +2399,7 @@ TEST_F(QueryTest, nxdomainWithBadWildcardNSEC3Proof) {
|
|
|
mock_finder->setNSEC3Result(&nsec3, &wname);
|
|
|
|
|
|
EXPECT_THROW(query.process(list, Name("nxdomain.example.com"), qtype,
|
|
|
- response),
|
|
|
+ response, true),
|
|
|
Query::BadNSEC3);
|
|
|
}
|
|
|
|
Mukund Sivaraman