Skip to content

Commit ed5bb7a

Browse files
spevnevspevnev
committed
Add NSEC3-signed zone
1 parent 58f395d commit ed5bb7a

File tree

9 files changed

+98
-22
lines changed

9 files changed

+98
-22
lines changed

src/resolve.cc

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -592,10 +592,10 @@ std::optional<std::vector<RR>> Resolver::resolve_rec(const std::string &domain,
592592
case RCode::ServerError: throw std::runtime_error("Nameserver error"); break;
593593
case RCode::NameError:
594594
if (zone->enable_dnssec) {
595-
if (dnssec::authenticate_name_error(sname, nsec3_rrset, nsec_rrset, zone->domain)) {
596-
return std::vector<RR>{};
595+
if (!dnssec::authenticate_name_error(sname, nsec3_rrset, nsec_rrset, zone->domain)) {
596+
throw std::runtime_error("Failed to authenticate the denial of existence");
597597
}
598-
throw std::runtime_error("Failed to authenticate the denial of existence");
598+
return std::vector<RR>{};
599599
}
600600

601601
if (!response.is_authoritative) {

tests/bind/keys/Knsec3-signed.com.+013+32475.key

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
; This is a key-signing key, keyid 32475, for nsec3-signed.com.
2+
; Created: 20250810215514 (Sun Aug 10 17:55:14 2025)
3+
; Publish: 20250810215514 (Sun Aug 10 17:55:14 2025)
4+
; Activate: 20250810215514 (Sun Aug 10 17:55:14 2025)
5+
nsec3-signed.com. IN DNSKEY 257 3 13 SsYbv1E5m1ULcFbrGrOHSt7EnTGBEQ2C8T4mloWfuBz7Jm81JL7ly4h1 BaoUDvJV9x7Ksmied+XzA2oGcntH/w==

tests/bind/keys/Knsec3-signed.com.+013+32475.private

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
Private-key-format: v1.3
2+
Algorithm: 13 (ECDSAP256SHA256)
3+
PrivateKey: 1drFZIwi8ezb2pAjDWAQPe5OWhXpXJ/OK2kcOlxBeAQ=
4+
Created: 20250810215514
5+
Publish: 20250810215514
6+
Activate: 20250810215514

tests/bind/named.conf

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,3 +34,19 @@ dnssec-policy "nsec-policy" {
3434
zsk lifetime 60d algorithm ECDSAP256SHA256;
3535
};
3636
};
37+
38+
zone "nsec3-signed.com" {
39+
type primary;
40+
file "nsec3-signed.com.db";
41+
notify no;
42+
dnssec-policy "nsec3-policy";
43+
inline-signing yes;
44+
};
45+
46+
dnssec-policy "nsec3-policy" {
47+
keys {
48+
ksk lifetime unlimited algorithm ECDSAP256SHA256;
49+
zsk lifetime 60d algorithm ECDSAP256SHA256;
50+
};
51+
nsec3param optout no salt-length 8;
52+
};

tests/cases/bind/does_not_exist.cc

Lines changed: 0 additions & 18 deletions
This file was deleted.

tests/cases/bind/name_error.cc

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
#include "common.hh"
2+
#include "config.hh"
3+
#include "resolve.hh"
4+
5+
namespace {
6+
void check_response(const std::optional<std::vector<RR>> &response) {
7+
ASSERT(response.has_value());
8+
ASSERT(response->empty());
9+
}
10+
} // namespace
11+
12+
int main() {
13+
Resolver unsigned_resolver{UNSIGNED_RESOLVER_CONFIG};
14+
Resolver signed_resolver{SIGNED_RESOLVER_CONFIG};
15+
Resolver nsec3_signed_resolver{NSEC3_SIGNED_RESOLVER_CONFIG};
16+
check_response(unsigned_resolver.resolve("name-error." UNSIGNED_DOMAIN, RRType::A));
17+
check_response(signed_resolver.resolve("name-error." SIGNED_DOMAIN, RRType::A));
18+
check_response(nsec3_signed_resolver.resolve("name-error." NSEC3_SIGNED_DOMAIN, RRType::A));
19+
return EXIT_SUCCESS;
20+
}

tests/cases/bind/no_data.cc

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
#include "common.hh"
2+
#include "config.hh"
3+
#include "resolve.hh"
4+
5+
// no-data A 1.2.3.4
6+
7+
namespace {
8+
void check_response(const std::optional<std::vector<RR>> &response) {
9+
ASSERT(response.has_value());
10+
ASSERT(response->empty());
11+
}
12+
} // namespace
13+
14+
int main() {
15+
Resolver unsigned_resolver{UNSIGNED_RESOLVER_CONFIG};
16+
Resolver signed_resolver{SIGNED_RESOLVER_CONFIG};
17+
Resolver nsec3_signed_resolver{NSEC3_SIGNED_RESOLVER_CONFIG};
18+
check_response(unsigned_resolver.resolve("no-data." UNSIGNED_DOMAIN, RRType::HINFO));
19+
check_response(signed_resolver.resolve("no-data." SIGNED_DOMAIN, RRType::HINFO));
20+
check_response(nsec3_signed_resolver.resolve("no-data." NSEC3_SIGNED_DOMAIN, RRType::HINFO));
21+
return EXIT_SUCCESS;
22+
}

tests/common/config.hh

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,28 @@ static const ResolverConfig SIGNED_RESOLVER_CONFIG{
3232
.dnssec = FeatureState::Require,
3333
};
3434

35+
#define NSEC3_SIGNED_DOMAIN "nsec3-signed.com."
36+
static const ResolverConfig NSEC3_SIGNED_RESOLVER_CONFIG {
37+
.timeout_ms = 500,
38+
.nameserver = NameserverConfig{
39+
.address = "127.0.0.1",
40+
.zone_domain = NSEC3_SIGNED_DOMAIN,
41+
.dss = {DS{
42+
.key_tag = 32475,
43+
.signing_algorithm = SigningAlgorithm::ECDSAP256SHA256,
44+
.digest_algorithm = DigestAlgorithm::SHA256,
45+
.digest = {0xA5, 0x29, 0xE5, 0x47, 0x63, 0xB5, 0x68, 0x6C, 0x25, 0x95, 0x16,
46+
0xB6, 0x0D, 0xEA, 0x46, 0xCB, 0x42, 0xC0, 0x14, 0x15, 0xDA, 0x5C,
47+
0xC6, 0xCB, 0xD1, 0x8B, 0x9C, 0x54, 0x1A, 0x99, 0x8C, 0x5D},
48+
.data = {},
49+
}},
50+
},
51+
.use_root_nameservers = false,
52+
.use_resolve_config = false,
53+
.port = 1053,
54+
.dnssec = FeatureState::Require,
55+
};
56+
3557
#define MOCK_DOMAIN "test.com."
3658
#define MOCK_NAMESERVER_ADDRESS "127.0.0.2"
3759
static const ResolverConfig MOCK_RESOLVER_CONFIG{

tests/test.sh

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ named_pid_path=$named_dir/named.pid
99
keys_path=./tests/bind/keys
1010
named_config_path=./tests/bind/named.conf
1111
base_zone_path=./tests/bind/base.db
12-
zone_names=(unsigned.com signed.com)
12+
zone_names=(unsigned.com signed.com nsec3-signed.com)
1313

1414
bind_cases_src_dir=./tests/cases/bind
1515
cases_out_dir=./build/tests/cases
@@ -51,6 +51,9 @@ fi
5151
# Terminate named before exiting
5252
trap "kill -- \$(cat $named_pid_path)" SIGINT SIGTERM EXIT
5353

54+
# Wait for the named to sign the zones
55+
sleep 1
56+
5457
# Run tests
5558
passed=0
5659
failed=0

0 commit comments

Comments
 (0)