/*
* dnssecjava - a DNSSEC validating stub resolver for Java
* Copyright (c) 2013-2015 Ingo Bauersachs
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*/
package org.jitsi.dnssec;
import static org.junit.Assert.*;
import java.io.IOException;
import java.net.InetAddress;
import java.util.Date;
import org.junit.Ignore;
import org.junit.Test;
import org.xbill.DNS.ARecord;
import org.xbill.DNS.DClass;
import org.xbill.DNS.DNSSEC.Algorithm;
import org.xbill.DNS.Flags;
import org.xbill.DNS.Message;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.Rcode;
import org.xbill.DNS.Record;
import org.xbill.DNS.Section;
import org.xbill.DNS.Type;
public class TestInvalid extends TestBase {
@Test
@AlwaysOffline
public void testUnknownAlg() throws IOException {
Message response = resolver.send(createMessage("unknownalgorithm.dnssec.tjeb.nl./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.SERVFAIL, response.getRcode());
assertEquals("validate.bogus.badkey:unknownalgorithm.dnssec.tjeb.nl.:failed.ds", getReason(response));
}
@Test
@Ignore
@AlwaysOffline
public void testSigNotIncepted() throws IOException {
Message response = resolver.send(createMessage("signotincepted.dnssec.tjeb.nl./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.SERVFAIL, response.getRcode());
assertEquals("validate.bogus.badkey:signotincepted.dnssec.tjeb.nl.:failed.ds", getReason(response));
}
@Test
@AlwaysOffline
public void testSigExpired() throws IOException {
Message response = resolver.send(createMessage("sigexpired.dnssec.tjeb.nl./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.SERVFAIL, response.getRcode());
assertEquals("validate.bogus.badkey:sigexpired.dnssec.tjeb.nl.:failed.ds", getReason(response));
}
@Test
@AlwaysOffline
public void testBogusSig() throws IOException {
Message response = resolver.send(createMessage("bogussig.dnssec.tjeb.nl./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.SERVFAIL, response.getRcode());
assertEquals("validate.bogus.badkey:bogussig.dnssec.tjeb.nl.:failed.ds", getReason(response));
}
@Test
@AlwaysOffline
public void testSignedBelowUnsignedBelowSigned() throws IOException {
Message response = resolver.send(createMessage("ok.nods.ok.dnssec.tjeb.nl./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.NOERROR, response.getRcode());
assertFalse(isEmptyAnswer(response));
assertEquals("insecure.ds.nsec", getReason(response));
}
@Test
@AlwaysOffline
public void testUnknownAlgNsec3() throws IOException {
Message response = resolver.send(createMessage("unknownalgorithm.Nsec3.tjeb.nl./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.SERVFAIL, response.getRcode());
assertEquals("validate.bogus.badkey:unknownalgorithm.nsec3.tjeb.nl.:failed.ds", getReason(response));
}
@Test
@AlwaysOffline
public void testSigNotInceptedNsec3() throws IOException {
Message response = resolver.send(createMessage("signotincepted.Nsec3.tjeb.nl./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.SERVFAIL, response.getRcode());
}
@Test
@AlwaysOffline
public void testSigExpiredNsec3() throws IOException {
Message response = resolver.send(createMessage("sigexpired.Nsec3.tjeb.nl./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.SERVFAIL, response.getRcode());
assertEquals("validate.bogus.badkey:sigexpired.nsec3.tjeb.nl.:failed.ds", getReason(response));
}
@Test
@AlwaysOffline
public void testBogusSigNsec3() throws IOException {
Message response = resolver.send(createMessage("bogussig.Nsec3.tjeb.nl./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.SERVFAIL, response.getRcode());
assertEquals("validate.bogus.badkey:bogussig.nsec3.tjeb.nl.:failed.ds", getReason(response));
}
@Test
@AlwaysOffline
public void testSignedBelowUnsignedBelowSignedNsec3() throws IOException {
Message response = resolver.send(createMessage("ok.nods.ok.Nsec3.tjeb.nl./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.NOERROR, response.getRcode());
assertFalse(isEmptyAnswer(response));
assertEquals("insecure.ds.nsec3", getReason(response));
}
@Test
public void testUnsignedThatMustBeSigned() throws IOException {
Name query = Name.fromString("www.ingotronic.ch.");
// prepare a faked, unsigned response message that must have a signature
// to be valid
Message message = new Message();
message.addRecord(Record.newRecord(query, Type.A, DClass.IN), Section.QUESTION);
message.addRecord(new ARecord(query, Type.A, DClass.IN, InetAddress.getByName(localhost)), Section.ANSWER);
add("www.ingotronic.ch./A", message);
Message response = resolver.send(createMessage("www.ingotronic.ch./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.SERVFAIL, response.getRcode());
assertEquals("validate.bogus.missingsig", getReason(response));
}
@Test
public void testModifiedSignature() throws IOException {
Name query = Name.fromString("www.ingotronic.ch.");
// prepare a faked, unsigned response message that must have a signature
// to be valid
Message message = new Message();
message.addRecord(Record.newRecord(query, Type.A, DClass.IN), Section.QUESTION);
message.addRecord(new ARecord(query, Type.A, DClass.IN, InetAddress.getByName(localhost)), Section.ANSWER);
message.addRecord(new RRSIGRecord(query, DClass.IN, 0, Type.A, Algorithm.RSASHA256, 5, new Date(System.currentTimeMillis() + 5000), new Date(System.currentTimeMillis() - 5000), 1234, Name.fromString("ingotronic.ch."), new byte[] { 1, 2, 3 }), Section.ANSWER);
add("www.ingotronic.ch./A", message);
Message response = resolver.send(createMessage("www.ingotronic.ch./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
assertEquals(Rcode.SERVFAIL, response.getRcode());
assertTrue(getReason(response).startsWith("failed.answer.positive:{ www.ingotronic.ch."));
}
@Test
public void testReturnServfailIfIntermediateQueryFails() throws IOException {
Message message = new Message();
message.getHeader().setRcode(Rcode.NOTAUTH);
message.addRecord(Record.newRecord(Name.fromString("ch."), Type.DS, DClass.IN), Section.QUESTION);
add("ch./DS", message);
Message response = resolver.send(createMessage("www.ingotronic.ch./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
// rfc4035#section-5.5
assertEquals(Rcode.SERVFAIL, response.getRcode());
assertEquals("validate.bogus.badkey:ch.:failed.ds.nonsec:ch.", getReason(response));
}
@Test
public void testReturnOriginalRcodeIfPrimaryQueryFails() throws IOException {
Message message = new Message();
message.getHeader().setRcode(Rcode.REFUSED);
message.addRecord(Record.newRecord(Name.fromString("www.ingotronic.ch."), Type.A, DClass.IN), Section.QUESTION);
add("www.ingotronic.ch./A", message);
Message response = resolver.send(createMessage("www.ingotronic.ch./A"));
assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD));
// rfc4035#section-5.5
assertEquals(Rcode.REFUSED, response.getRcode());
assertEquals("failed.nodata", getReason(response));
}
}