From 78863195253d532d11cba1aeee11967c4d7b0f10 Mon Sep 17 00:00:00 2001 From: Jorge Aparicio Date: Mon, 29 Apr 2024 18:48:37 +0200 Subject: [PATCH] resolver: test that DS query is sent to parent zone --- .../src/resolver/dnssec/rfc4035.rs | 1 + .../src/resolver/dnssec/rfc4035/section_3.rs | 1 + .../dnssec/rfc4035/section_3/section_3_1.rs | 1 + .../section_3/section_3_1/section_3_1_4.rs | 78 +++++++++++++++++++ 4 files changed, 81 insertions(+) create mode 100644 packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3.rs create mode 100644 packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_1.rs create mode 100644 packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_1/section_3_1_4.rs diff --git a/packages/conformance-tests/src/resolver/dnssec/rfc4035.rs b/packages/conformance-tests/src/resolver/dnssec/rfc4035.rs index 289eace..5ee7479 100644 --- a/packages/conformance-tests/src/resolver/dnssec/rfc4035.rs +++ b/packages/conformance-tests/src/resolver/dnssec/rfc4035.rs @@ -1 +1,2 @@ +mod section_3; mod section_4; diff --git a/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3.rs b/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3.rs new file mode 100644 index 0000000..137bed6 --- /dev/null +++ b/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3.rs @@ -0,0 +1 @@ +mod section_3_1; diff --git a/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_1.rs b/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_1.rs new file mode 100644 index 0000000..b2554b5 --- /dev/null +++ b/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_1.rs @@ -0,0 +1 @@ +mod section_3_1_4; diff --git a/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_1/section_3_1_4.rs b/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_1/section_3_1_4.rs new file mode 100644 index 0000000..8e0dfb2 --- /dev/null +++ b/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_3/section_3_1/section_3_1_4.rs @@ -0,0 +1,78 @@ +use dns_test::{ + client::{Client, DigSettings}, + name_server::{Graph, NameServer, Sign}, + record::RecordType, + tshark::{Capture, Direction}, + Network, Resolver, Result, FQDN, +}; + +#[test] +#[ignore] +fn on_clients_ds_query_it_queries_the_parent_zone() -> Result<()> { + let peer = dns_test::peer(); + let network = Network::new()?; + + let leaf_ns = NameServer::new(&peer, FQDN::NAMESERVERS, &network)?; + + let Graph { + nameservers, + root, + trust_anchor, + } = Graph::build(leaf_ns, Sign::Yes)?; + + let mut com_ns_addr = None; + for nameserver in &nameservers { + if nameserver.zone() == &FQDN::COM { + com_ns_addr = Some(nameserver.ipv4_addr()); + } + } + let com_ns_addr = com_ns_addr.expect("com. NS not found"); + + let trust_anchor = &trust_anchor.unwrap(); + let resolver = Resolver::new(&network, root) + .trust_anchor(trust_anchor) + .start(&dns_test::subject())?; + + let mut tshark = resolver.eavesdrop()?; + + let resolver_addr = resolver.ipv4_addr(); + + let client = Client::new(&network)?; + let settings = *DigSettings::default().recurse(); + let output = client.dig(settings, resolver_addr, RecordType::DS, &FQDN::NAMESERVERS)?; + + tshark.wait_for_capture()?; + + let captures = tshark.terminate()?; + + // check that we were able to retrieve the DS record + assert!(output.status.is_noerror()); + let [record] = output.answer.try_into().unwrap(); + let ds = record.try_into_ds().unwrap(); + assert_eq!(ds.zone, FQDN::NAMESERVERS); + + // check that DS query was forwarded to the `com.` (parent zone) nameserver + let client_addr = client.ipv4_addr(); + let mut outgoing_ds_query_count = 0; + for Capture { message, direction } in captures { + if let Direction::Outgoing { destination } = direction { + if destination != client_addr { + let queries = message.as_value()["Queries"] + .as_object() + .expect("expected Object"); + for query in queries.keys() { + if query.contains("type DS") { + assert!(query.contains("nameservers.com")); + assert_eq!(com_ns_addr, destination); + + outgoing_ds_query_count += 1; + } + } + } + } + } + + assert_eq!(1, outgoing_ds_query_count); + + Ok(()) +}