-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnsec_test.go
149 lines (143 loc) · 5.36 KB
/
nsec_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
package dnsutils_test
import (
"bytes"
_ "embed"
"github.com/miekg/dns"
"github.com/mimuret/dnsutils"
"github.com/mimuret/dnsutils/testtool"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
//go:embed testdata/sign/example.jp.nsec3.bind
var testNsec3SignedZone []byte
var _ = Describe("Test nsec.go", func() {
var (
err error
z *dnsutils.Zone
inception = uint32(1704067200)
expiration = uint32(1893456000)
nsecSignOption = dnsutils.SignOption{
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC,
Inception: &inception,
Expiration: &expiration,
ZONEMDEnabled: &False,
CDSEnabled: &False,
}
nsec3SignOption = dnsutils.SignOption{
DoEMethod: dnsutils.DenialOfExistenceMethodNSEC3,
Inception: &inception,
Expiration: &expiration,
ZONEMDEnabled: &False,
CDSEnabled: &False,
}
zsk *dnsutils.DNSKEY
ksk *dnsutils.DNSKEY
dnskeys []*dnsutils.DNSKEY
nsecSignedZone *dnsutils.Zone
nsec3SignedZone *dnsutils.Zone
)
BeforeEach(func() {
ksk, err = dnsutils.ReadDNSKEY(bytes.NewBuffer(testDnskeyED25519KSKPriv), bytes.NewBuffer(testDnskeyED25519KSKPub))
Expect(err).To(Succeed())
zsk, err = dnsutils.ReadDNSKEY(bytes.NewBuffer(testDnskeyED25519ZSKPriv), bytes.NewBuffer(testDnskeyED25519ZSKPub))
Expect(err).To(Succeed())
dnskeys = []*dnsutils.DNSKEY{ksk, zsk}
nsecSignedZone = &dnsutils.Zone{}
err = nsecSignedZone.Read(bytes.NewBuffer(testNsecSignedZone))
Expect(err).To(Succeed())
nsec3SignedZone = &dnsutils.Zone{}
err = nsec3SignedZone.Read(bytes.NewBuffer(testNsec3SignedZone))
Expect(err).To(Succeed())
})
It("can read ED25519 zsk/ksk", func() {
Expect(ksk.GetRR().KeyTag()).To(Equal(uint16(2290)))
Expect(ksk.GetSigner().Public())
Expect(zsk.GetRR().KeyTag()).To(Equal(uint16(30075)))
})
Context("CreateDoE", func() {
When("NSEC", func() {
BeforeEach(func() {
testZoneNormalBuf := bytes.NewBuffer(testSignZone)
z = &dnsutils.Zone{}
err = z.Read(testZoneNormalBuf)
Expect(err).To(Succeed())
err = dnsutils.CreateDoE(z, nsecSignOption, nil)
})
It("return success", func() {
Expect(err).To(Succeed())
var nsecRRs []dns.RR
z.GetRootNode().IterateNameNode(func(nni dnsutils.NameNodeInterface) error {
if nsecRRSet := nni.GetRRSet(dns.TypeNSEC); nsecRRSet != nil {
nsecRRs = append(nsecRRs, nsecRRSet.GetRRs()...)
}
return nil
})
Expect(nsecRRs[0]).To(Equal(testtool.MustNewRR("example.jp. 300 IN NSEC \\000.example.jp. NS SOA RRSIG NSEC")))
Expect(nsecRRs[1]).To(Equal(testtool.MustNewRR("\\000.example.jp. 300 IN NSEC *.example.jp. TXT RRSIG NSEC")))
Expect(nsecRRs[2]).To(Equal(testtool.MustNewRR("*.example.jp. 300 IN NSEC test.hoge.example.jp. A RRSIG NSEC")))
Expect(nsecRRs[3]).To(Equal(testtool.MustNewRR("test.hoge.example.jp. 300 IN NSEC www.hoge.example.jp. A RRSIG NSEC")))
Expect(nsecRRs[4]).To(Equal(testtool.MustNewRR("www.hoge.example.jp. 300 IN NSEC sub1.example.jp. CNAME RRSIG NSEC")))
Expect(nsecRRs[5]).To(Equal(testtool.MustNewRR("sub1.example.jp. 300 IN NSEC sub2.example.jp. NS DS RRSIG NSEC")))
Expect(nsecRRs[6]).To(Equal(testtool.MustNewRR("sub2.example.jp. 300 IN NSEC example.jp. NS RRSIG NSEC")))
})
Context("Test for Sign with NSEC", func() {
BeforeEach(func() {
z = &dnsutils.Zone{}
err = z.Read(bytes.NewBuffer(testSignZone))
Expect(err).To(Succeed())
err = dnsutils.AddDNSKEY(z, nsecSignOption, dnskeys, nil)
Expect(err).To(Succeed())
err = dnsutils.CreateDoE(z, nsecSignOption, nil)
Expect(err).To(Succeed())
err = dnsutils.SignZone(z, nsecSignOption, dnskeys, nil)
})
It("return success", func() {
Expect(err).To(Succeed())
Expect(dnsutils.IsEqualsAllTree(z.GetRootNode(), nsecSignedZone.GetRootNode(), false)).To(BeTrue())
})
})
})
When("NSEC3", func() {
BeforeEach(func() {
testZoneNormalBuf := bytes.NewBuffer(testSignZone)
z = &dnsutils.Zone{}
err = z.Read(testZoneNormalBuf)
Expect(err).To(Succeed())
err = dnsutils.CreateDoE(z, nsec3SignOption, nil)
})
It("return success", func() {
Expect(err).To(Succeed())
var nsec3RRs []dns.RR
var nsec3params []dns.RR
z.GetRootNode().IterateNameNode(func(nni dnsutils.NameNodeInterface) error {
if nsec3RRSet := nni.GetRRSet(dns.TypeNSEC3); nsec3RRSet != nil {
nsec3RRs = append(nsec3RRs, nsec3RRSet.GetRRs()...)
}
return nil
})
if nsec3paramRRSet := z.GetRootNode().GetRRSet(dns.TypeNSEC3PARAM); nsec3paramRRSet != nil {
nsec3params = nsec3paramRRSet.GetRRs()
}
Expect(nsec3params).To(HaveLen(1))
Expect(nsec3params[0]).To(Equal(testtool.MustNewRR("example.jp. 0 IN NSEC3PARAM 1 0 0 -")))
Expect(nsec3RRs).To(HaveLen(8))
})
Context("Test for Sign with NSEC3", func() {
BeforeEach(func() {
z = &dnsutils.Zone{}
err = z.Read(bytes.NewBuffer(testSignZone))
Expect(err).To(Succeed())
err = dnsutils.AddDNSKEY(z, nsec3SignOption, dnskeys, nil)
Expect(err).To(Succeed())
err = dnsutils.CreateDoE(z, nsec3SignOption, nil)
Expect(err).To(Succeed())
err = dnsutils.SignZone(z, nsec3SignOption, dnskeys, nil)
})
It("return success", func() {
Expect(err).To(Succeed())
Expect(dnsutils.IsEqualsAllTree(z.GetRootNode(), nsec3SignedZone.GetRootNode(), false)).To(BeTrue())
})
})
})
})
})