Пример #1
0
"""

Basic checks for CNAME following.

- Query for CNAME, NSEC, RRSIG is not followed.
- Query for ANY meta type is not followed.
- Query for any other type is followed.

"""

from dnstest.test import Test

t = Test()

knot = t.server("knot")
zone = t.zone("follow", storage=".")
t.link(zone, knot)

t.start()

# follow CNAME (type exists)

resp = knot.dig("test.follow", "AAAA")
resp.check(rcode="NOERROR", flags="AA")
resp.check_rr("answer", "test.follow", "CNAME")
resp.check_rr("answer", "follow", "AAAA")
resp.check_empty("authority")

# follow CNAME (type doesn't exist)

resp = knot.dig("test.follow", "TXT")
Пример #2
0
def test_expire(zone, server):
    resp = server.dig(zone[0].name, "SOA")
    resp.check(rcode="SERVFAIL")

def break_xfrout(server):
    with open(server.confile, "r+") as f:
        config = f.read()
        f.seek(0)
        f.truncate()
        config = config.replace(" acl:", " #acl:")
        f.write(config)

t = Test(tsig=False)

# this zone has refresh = 1s, retry = 1s and expire = 8s
zone = t.zone("example.", storage=".")
EXPIRE_SLEEP = 15

master = t.server("knot")
slave = t.server("knot")
slave.tcp_idle_timeout = "1s"

t.link(zone, master, slave)

t.start()

master.zone_wait(zone)
slave.zone_wait(zone)

# expire by shutting down the master
master.stop()
Пример #3
0
#!/usr/bin/env python3
'''Test for response to IXFR request with newer serial'''

from dnstest.utils import *
from dnstest.test import Test

t = Test()

knot = t.server("knot")
zone = t.zone("example.com.")

t.link(zone, knot, ixfr=True)

t.start()

serial_init = knot.zone_wait(zone)

resp = knot.dig("example.com", "IXFR", serial=serial_init + 1)
resp.check_xfr()

compare(resp.msg_count(), 1, "Only one message")
compare(resp.count("SOA"), 1, "Only one RR in Answer section")
compare(resp.count("ANY"), 1, "Only one RR in the whole message.")

t.end()
Пример #4
0
#!/usr/bin/env python3

'''TTL mismatch test'''

from dnstest.utils import *
from dnstest.test import Test

t = Test()

zone = t.zone("example.com.")

master = t.server("knot")
t.link(zone, master, ddns=True)

t.start()

# Add new RR with different TTL to a RRSet that is already in the zone
# The UPDATE should be REFUSED

check_log("Add RR with different TTL")
up = master.update(zone)
up.add("mail.example.com.", 1000, "A", "1.2.3.4")
up.send("REFUSED")
resp = master.dig("mail.example.com.", "A")
resp.check_record(section="answer", rtype="A", ttl="3600", rdata="192.0.2.3")
resp.check_record(section="answer", rtype="A", nordata="1.2.3.4")

# Try to add two RRs belonging to one RRSet, but with different TTLs
# The UPDATE should be REFUSED
# This also tests rollback in case of addition
Пример #5
0
#!/usr/bin/env python3
'''Test insecure<->secure delegation transitions with NSEC3PARAM changes.'''

import random
from dnstest.test import Test

t = Test()

master = t.server("knot")
zones = t.zone("example.")

t.link(zones, master)

master.dnssec(zones[0]).enable = True
master.dnssec(zones[0]).nsec3 = True
master.dnssec(zones[0]).nsec3_opt_out = True
master.dnssec(zones[0]).nsec3_iters = 1

t.start()

master.zones_wait(zones)

master.dnssec(zones[0]).nsec3_iters = 2
master.gen_confile()
master.reload()
t.sleep(8)

up = master.update(zones)
up.add("b.example.", 3600, "DS",
       "57855 5 1 B6DCD485719ADCA18E5F3D48A2331627FDD3636B")
up.send()
Пример #6
0
#!/usr/bin/env python3
'''Test that removal of nonexisting or addition of existing record over IXFR
is not accepted by a slave'''

from dnstest.test import Test
from dnstest.utils import *

t = Test()

master = t.server("knot")
slave = t.server("knot")

zone = t.zone("existing.", storage=".")

t.link(zone, master, slave, ixfr=True)

slave.update_zonefile(zone, version="slave0")

t.start()

serial = master.zone_wait(zone)
slave.zone_wait(zone)

# Check that removal of nonexisting record is not accepted

master.update_zonefile(zone, version=1)
master.reload()

serial = slave.zone_wait(zone, serial)
if not slave.log_search("no such record in zone found"
                        ) or not slave.log_search("fallback to AXFR"):
Пример #7
0
#!/usr/bin/env python3
'''Test for loading of dumped zone'''

from dnstest.test import Test

t = Test()

master = t.server("bind")
slave = t.server("knot")
reference = t.server("bind")

zones = t.zone_rnd(4) + t.zone(".") + t.zone("records.")

t.link(zones, master, slave)
t.link(zones, reference)

t.start()

# Wait for servers.
master.zones_wait(zones)
slave.zones_wait(zones)
reference.zones_wait(zones)

# Dump zones on slave.
slave.flush(wait=True)

# Compare master with reference server
t.xfr_diff(reference, master, zones)

# Compare slave with reference server
t.xfr_diff(reference, slave, zones)
Пример #8
0
#!/usr/bin/env python3

'''Test for EDNS0 UDP payload size'''

from dnstest.test import Test

t = Test()

knot = t.server("knot")
bind = t.server("bind")
zones = t.zone("flags.") + t.zone("example.", "example.zone.nsec", storage=".")

t.link(zones, knot)
t.link(zones, bind)

t.start()

# TC - TXT record doesn't fit into UDP message.
resp = knot.dig("513resp.flags", "TXT", udp=True)
resp.check(flags="TC")
resp.cmp(bind, authority=False) # Knot puts SOA compared to Bind!

# no TC - UDP message is extended using EDNS0/payload.
resp = knot.dig("513resp.flags", "TXT", udp=True, bufsize=600)
resp.check(noflags="TC")
resp.cmp(bind)

# no TC - UDP message is extended using EDNS0/payload just for answer.
resp = knot.dig("513resp.flags", "TXT", udp=True, bufsize=524)
resp.check(noflags="TC")
Пример #9
0
#!/usr/bin/env python3

'''Test for dropping of out of zone records during incoming XFR'''

from dnstest.test import Test

t = Test()

master = t.server("bind")
slave = t.server("knot")
zone = t.zone("out-of-zone.")

t.link(zone, master, slave)

t.start()

master.zones_wait(zone)
slave.zones_wait(zone)

t.xfr_diff(master, slave, zone)

t.end()
Пример #10
0
#!/usr/bin/env python3

'''Test for loading of dumped zone'''

from dnstest.test import Test

t = Test()

master = t.server("bind")
slave = t.server("knot")
reference = t.server("bind")

zones = t.zone_rnd(10) + t.zone(".") + t.zone("wild.") + t.zone("cname-loop.")

t.link(zones, master, slave)
t.link(zones, reference)

t.start()

# Wait for AXFR and dump zones.
master.zones_wait(zones)
slave.zones_wait(zones)
slave.flush()

# Stop master.
master.stop()

# Reload dumped zone files.
slave.stop()
slave.start()
Пример #11
0
#!/usr/bin/env python3

'''Test for signing a zone with wierd records.'''

from dnstest.utils import *
from dnstest.test import Test

t = Test()

master = t.server("knot")
zone = t.zone("records.")
t.link(zone, master)

# Enable autosigning.
master.dnssec_enable = True
master.gen_key(zone, ksk=True, alg="RSASHA1")
master.gen_key(zone, alg="RSASHA1")
master.gen_confile()

t.start()

master.zone_wait(zone)

t.sleep(1)
master.flush()
t.sleep(1)

# Verify signed zone file.
master.zone_verify(zone)

t.stop()
Пример #12
0
#!/usr/bin/env python3

"""Test for record removal over IXFR to slave zone which doesn't contain this record"""

from dnstest.test import Test

t = Test()

master = t.server("bind")
slave = t.server("knot")

zone = t.zone("existing.", storage=".")

t.link(zone, master, slave, ixfr=True)

# Remove the record from slave zone file (no SOA serial change).
slave.update_zonefile(zone, version=2)

t.start()

# Wait for zones.
serial = master.zone_wait(zone)
slave.zone_wait(zone)

# Update master file without the record (new SOA serial).
master.update_zonefile(zone, version=1)
master.reload()

# Wait for zones and compare them.
master.zone_wait(zone, serial)
slave.zone_wait(zone, serial)
Пример #13
0
#!/usr/bin/env python3

'''Test for support of obsolete records over XFR'''

from dnstest.test import Test

t = Test()

master = t.server("bind")
slave = t.server("knot")
zone = t.zone("obsolete.", storage=".")

t.link(zone, master, slave)

t.start()

master.zones_wait(zone)
slave.zones_wait(zone)

t.xfr_diff(master, slave, zone)

t.end()
Пример #14
0
#!/usr/bin/env python3

'''Test for loading non-existing zone file'''

from dnstest.test import Test

t = Test()

master = t.server("knot")

zones = t.zone("notexist.", exists=False) + t.zone("example.com.")

t.link(zones, master)

t.start()

# Check if the server is answering and zone _isn't_ loaded
resp = master.dig("notexist.", "SOA", udp=True)
resp.check(rcode="SERVFAIL") # Unloadable zone, but in the zone database

# Check if the server is answering and zone is unknown
resp = master.dig("xfiles.", "SOA", udp=True)
resp.check(rcode="REFUSED")

# The other zone should answer without problem
resp = master.dig("example.com.", "SOA", udp=True)
resp.check(rcode="NOERROR")

# Stop master.
master.stop()
Пример #15
0
import random

def check_keys(server, zone_name, expect_keys):
    cmd = Popen([dnstest.params.keymgr_bin, "-d", server.dir + "/keys", zone_name, "list"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
    (stdout, stderr) = cmd.communicate()
    lines = len(stdout.splitlines())
    if lines != expect_keys:
        set_err("CHECK # of KEYS (%d != %d)" % (lines, expect_keys))

t = Test()

master = t.server("knot")
slave = t.server("knot")

# Zone setup
zone = t.zone("example.com.") + t.zone("catalog1.", storage=".")

t.link(zone, master, slave, ixfr=True)

master.zones["catalog1."].catalog = True
slave.zones["catalog1."].catalog = True

if random.choice([True, False]):
    slave.dnssec(zone[1]).enable = True
else:
    slave.add_module(zone[1], ModOnlineSign(algorithm="ECDSAP256SHA256", single_type_signing=False))

for zf in glob.glob(t.data_dir + "/*.zone"):
    shutil.copy(zf, master.dir + "/master")

t.start()
Пример #16
0
#!/usr/bin/env python3

'''Test for loading of zone containing mismatched TTLs'''

from dnstest.test import Test

t = Test()

master = t.server("knot")

zone = t.zone("ttl-mismatch", storage=".")

t.link(zone, master)

t.start()

# Just check if the zone was loaded. It should be refused on master.
resp = master.dig(zone, "SOA")
resp.check(rcode="REFUSED", flags="QR", noflags="AA TC AD RA")

t.end()
Пример #17
0
Файл: test.py Проект: idtek/knot
#!/usr/bin/env python3

'''NSEC test based on RFC-4035 example.'''

from dnstest.test import Test

t = Test()

knot = t.server("knot")
knot.DIG_TIMEOUT = 2
bind = t.server("bind")
zone = t.zone("example.", "example.zone.nsec", storage=".")

t.link(zone, knot)
t.link(zone, bind)

t.start()

# B1. Answer.
resp = knot.dig("x.w.example", "MX", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
resp.cmp(bind)

# B2. Name Error.
resp = knot.dig("ml.example", "A", dnssec=True)
resp.check(rcode="NXDOMAIN", flags="QR AA", eflags="DO")
resp.cmp(bind)

# B3. No Data Error.
resp = knot.dig("ns1.example", "MX", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
Пример #18
0
#!/usr/bin/env python3

'''Test for loading of NSEC records with upper-case letters in rdata.'''

from dnstest.test import Test

t = Test()

knot = t.server("knot")
bind = t.server("bind")
zone = t.zone("rdatacase.", "rdatacase.zone.signed", storage=".")

t.link(zone, knot)
t.link(zone, bind)

t.start()

knot.zones_wait(zone)
bind.zones_wait(zone)
t.xfr_diff(knot, bind, zone)

t.end()
Пример #19
0
#!/usr/bin/env python3
'''NSEC test based on RFC-4035 example.'''

from dnstest.test import Test

t = Test()

knot = t.server("knot")
knot.DIG_TIMEOUT = 2
bind = t.server("bind")
zone = t.zone("example.", "example.zone.nsec", storage=".")

t.link(zone, knot)
t.link(zone, bind)

t.start()

# B1. Answer.
resp = knot.dig("x.w.example", "MX", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
resp.cmp(bind)

# B2. Name Error.
resp = knot.dig("ml.example", "A", dnssec=True)
resp.check(rcode="NXDOMAIN", flags="QR AA", eflags="DO")
resp.cmp(bind)

# B3. No Data Error.
resp = knot.dig("ns1.example", "MX", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
resp.cmp(bind)
Пример #20
0
Basic checks of Additional section content.

- Query into a delegation scope adds glue into additionals.
- Query for NS/MX/SRV adds target A+AAAA into additionals.
- Query for other types (like PTR) does NOT cause lookup of additionals.
- Query for NS/MX/SRV pointing to CNAME does NOT cause lookup of additionals.

"""

from dnstest.test import Test

t = Test()

knot = t.server("knot")
zone = t.zone("test", storage=".")
t.link(zone, knot)

t.start()

# NS authoritative

resp = knot.dig("test", "NS")
resp.check(rcode="NOERROR", flags="AA")
resp.check_rr("answer", "test", "NS")
resp.check_rr("additional", "a.ns.test", "A")
resp.check_rr("additional", "a.ns.test", "AAAA")
resp.check_rr("additional", "b.ns.test", "AAAA")

# NS delegation
Пример #21
0
''' Check 'dnstap' query module functionality. '''

import os
import re
from dnstest.test import Test
from dnstest.module import ModDnstap
from dnstest.utils import *

t = Test()

ModDnstap.check()

# Initialize server configuration
knot = t.server("knot")
zone = t.zone("flags.")
t.link(zone, knot)

# Configure 'dnstap' module for all queries (default).
dflt_sink = t.out_dir + "/all.tap"
knot.add_module(None, ModDnstap(dflt_sink))
# Configure 'dnstap' module for flags zone only.
flags_sink = t.out_dir + "/flags.tap"
knot.add_module(zone, ModDnstap(flags_sink))

t.start()

dflt_qname = "dnstap_default_test"
resp = knot.dig(dflt_qname + ".example", "NS")
flags_qname = "dnstap_flags_test"
resp = knot.dig(flags_qname + ".flags", "NS")
Пример #22
0
#!/usr/bin/env python3

''' Test for loading records with RDATA and owners differing only in case '''

from dnstest.utils import *
from dnstest.test import Test

t = Test()

knot = t.server("knot")
zone = t.zone("duplicates.", storage=".")
t.link(zone, knot)

t.start()

knot.zones_wait(zone)

# Request AXFR from Knot
resp = knot.dig("duplicates.", "AXFR")

# If Knot has not properly handled the case, there will be some redundant record
count = 0
for msg in resp.resp:
	count += len(msg.answer)

compare(count, 6, "AXFR record count")
	
t.end()
Пример #23
0
#!/usr/bin/env python3
'''Test for maximum UDP payload size with respect to IP family'''

from dnstest.test import Test

t = Test()

server4 = t.server("knot", address=4)
server6 = t.server("knot", address=6)
zone = t.zone("flags.")

# Set common payload limit for 512-byte message with 11-byte EDNS section.
server4.max_udp_payload = 523
server6.max_udp_payload = 523

t.link(zone, server4)
t.link(zone, server6)

t.start()

# Check common limit if 512 fits and 513 does not.
resp = server4.dig("512resp.flags", "TXT", udp=True, bufsize=4096)
resp.check(noflags="TC")

resp = server4.dig("513resp.flags", "TXT", udp=True, bufsize=4096)
resp.check(flags="TC")

resp = server6.dig("512resp.flags", "TXT", udp=True, bufsize=4096)
resp.check(noflags="TC")

resp = server6.dig("513resp.flags", "TXT", udp=True, bufsize=4096)
Пример #24
0
#!/usr/bin/env python3

'''Test for empty rdata loading.'''

from dnstest.test import Test

t = Test()

master = t.server("knot")
slave = t.server("knot")
zone = t.zone("empty.", storage=".")

t.link(zone, master, slave)

t.start()

master.zones_wait(zone)
slave.zones_wait(zone)

slave.flush()
t.sleep(1)

t.end()
Пример #25
0
'''Test for flush event'''

from dnstest.utils import *
from dnstest.test import Test
import os

FLUSH_SLEEP = 5.5

t = Test()

master = t.server("bind")
slave = t.server("knot")
slave.zonefile_sync = "5s"

zone = t.zone("example.")
zone_path = slave.dir + "/slave/" + zone[0].file_name

t.link(zone, master, slave)
t.start()
slave.stop()
try:
	os.remove(zone_path)
except:
	pass
slave.start()
slave.zone_wait(zone)

#check that the zone file has not been flushed
if os.path.exists(zone_path):
    check_log("Zonefile created too soon: " + str(os.stat(zone_path).st_ctime))
Пример #26
0
#!/usr/bin/env python3

''' Test for loading badly formed record '''

from dnstest.test import Test

t = Test()

master = t.server("knot")

zone = t.zone("badrecord.", "badrecord.zone", storage=".")

t.link(zone, master)

t.start()

# Check if the server is answering and zone _isn't_ loaded
resp = master.dig("badrecord.", "SOA", udp=True)

# @note Either REFUSED or SERVFAIL is fine, Knot treats unloadable
# zone as expired while the older version ignored such zone.
resp.check(rcode="SERVFAIL")

# Stop master.
master.stop()

t.end()
Пример #27
0
import random
import dns.exception
import dns.rcode
import dns.tsig
from dnstest.utils import *
from dnstest.test import Test

t = Test(tsig=False)

master = t.server("knot")

ZONE = "example.com."
HUGE = "huge.%s" % ZONE

zone = t.zone(ZONE, storage=".")

rndfix = random.randint(1, 65000)
for i in range(1, 3000):
    zone[0].append_rndAAAA(HUGE, rndfix, i)

t.link(zone, master)

t.start()

master.zone_wait(zone)

resp = master.dig(HUGE, "AAAA", udp=True)
resp.check(rcode="NOERROR", flags="TC")
resp.check_count(0, section="answer")
Пример #28
0
#!/usr/bin/env python3

'''Test for loading of zone containing mismatched TTLs in RRSet'''

from dnstest.test import Test

t = Test()

master = t.server("knot")
zone = t.zone("ttl-mismatch", storage=".")

t.link(zone, master)

t.start()

master.zones_wait(zone)

resp = master.dig("ttl.ttl-mismatch.", "A")
resp.check(rcode="NOERROR", flags="QR AA", noflags="TC AD RA", ttl=7200)

t.end()
Пример #29
0
#!/usr/bin/env python3

'''Test for reload of a changed zone (serial up, nochange, serial down). '''

from dnstest.test import Test
from dnstest.utils import set_err, detail_log

t = Test()

master = t.server("knot")

# Zone setup
zone = t.zone("serial.", storage = ".")

t.link(zone, master, ixfr = True)

t.start()

# Load zones
serial = master.zone_wait(zone)

def reload_zone(serial, version):
    master.update_zonefile(zone, version)
    master.reload()
    new_serial = master.zone_wait(zone)
    if new_serial != serial:
        set_err("SOA MISMATCH")
        detail_log("!Zone '%s' SOA serial %s != %s" % (zone[0].name, new_serial, serial))
        return
    resp = master.dig("new-record%d.%s" % (version, zone[0].name), "A")
    resp.check(rcode="NOERROR")
Пример #30
0
#!/usr/bin/env python3

'''Check that only-SOA-serial-incremented zone file change is correctly detected and signed.'''

from dnstest.test import Test

t = Test()

knot = t.server("knot")
zone = t.zone("example.com")[0]

t.link([zone], knot, ixfr=True)

knot.dnssec(zone).enable = True

t.start()

serial = knot.zone_wait(zone)
knot.flush(zone, wait=True)
knot.zone_verify(zone)

knot.zones[zone.name].zfile.update_soa(serial=int(serial)+1)
knot.reload()

knot.zone_wait(zone, serial)
knot.flush(zone, wait=True)
knot.zone_verify(zone)

t.end()
Пример #31
0
#!/usr/bin/env python3
'''Test for AXFR-style IXFR'''

from dnstest.test import Test
import os

t = Test(tsig=False)

master = t.server("knot")
slave = t.server("knot")
zone = t.zone("xfr", storage=".")

t.link(zone, master, slave, journal_content="none")

t.start()

serial = master.zone_wait(zone)

# update zone with small change
master.update_zonefile(zone, version=1)
master.reload()
master.zone_wait(zone, serial)

# check that master properly sends AXFR-style IXFR
t.check_axfr_style_ixfr(master, "xfr", serial)

serial = slave.zone_wait(zone, serial)

t.xfr_diff(master, slave, zone)

# update zone with large change (3 messages worth)
Пример #32
0
from dnstest.test import Test
from dnstest.module import ModSynthRecord

t = Test()

ModSynthRecord.check()

# Zone indexes
FWD = 0
REV4 = 1
REV6 = 2
REV = 3

# Initialize server configuration
knot = t.server("knot")
zone = t.zone("forward.", storage=".") + \
       t.zone("1.168.192.in-addr.arpa.", storage=".") + \
       t.zone("1.6.b.0.0.0.0.0.0.2.6.2.ip6.arpa.", storage=".") + \
       t.zone("ip6.arpa.", storage=".")
t.link(zone, knot)

# Enable DNSSEC
for z in zone:
    knot.dnssec(z).enable = True

# Configure 'synth_record' modules for auto forward/reverse zones
knot.add_module(zone[FWD], ModSynthRecord("forward", None, None,
                                          "192.168.0.1"))
knot.add_module(
    zone[FWD],
    ModSynthRecord("forward", "dynamic-", "900",
Пример #33
0
#!/usr/bin/env python3
"""
Test of zone-in-journal dynamic configuration.
"""

from dnstest.utils import *
from dnstest.test import Test

t = Test()

knot = t.server("knot")
zone = t.zone("example.")
t.link(zone, knot)

t.start()
knot.zone_wait(zone)

knot.ctl("conf-begin")
knot.ctl("conf-set zone[%s].journal-content all" % zone[0].name)
knot.ctl("conf-commit")
t.sleep(2)

knot.stop()

knot.zones[zone[0].name].journal_content = "all"
knot.zonefile_load = "none"
knot.gen_confile()

knot.zones[zone[0].name].zfile.remove()  # just to make sure

knot.start()
Пример #34
0
#!/usr/bin/env python3

'''Test for IXFR from Knot to Knot'''

from dnstest.test import Test

t = Test()

master = t.server("knot")
slave = t.server("knot")
zones = t.zone_rnd(5, records=50) + t.zone("records.")

t.link(zones, master, slave, ixfr=True)

t.start()

# Wait for AXFR to slave server.
serials_init = master.zones_wait(zones)
slave.zones_wait(zones)

serials_prev = serials_init
for i in range(4):
    # Update zone files on master.
    for zone in zones:
        master.update_zonefile(zone, random=True)
    master.reload()

    # Wait for IXFR to slave.
    serials = master.zones_wait(zones, serials_prev)
    slave.zones_wait(zones, serials_prev)
    serials_prev = serials
Пример #35
0
              (first_bitmap, nsec3_bitmap, msg))
    if first_bitmap != nsec3_bitmap:
        set_err("NSEC3 bitmap for '%s'" % msg)

    first_flags = first_nsec3.split()[5]
    if first_flags != str(opt_out_flag):
        set_err("NSEC3 opt-out flag %s != %s for '%s'" %
                (first_flags, str(opt_out_flag), msg))

    detail_log(SEP)
    master.zone_backup(zone, flush=True)
    master.zone_verify(zone)


master = t.server("knot")
zone = t.zone(zone_name)

t.link(zone, master)

master.dnssec(zone).enable = True
master.dnssec(zone).nsec3 = True
master.dnssec(zone).nsec3_iters = 2
master.dnssec(zone).nsec3_salt_len = 8
master.dnssec(zone).nsec3_opt_out = False

t.start()

master.zones_wait(zone)
master.zone_backup(zone, flush=True)
master.zone_verify(zone)
Пример #36
0
#!/usr/bin/env python3
'''Test for knotc zone-notify'''

from dnstest.test import Test

t = Test()

master = t.server("knot")
slave = t.server("knot")

zone = t.zone("notify.", storage=".")

t.link(zone, master, slave)

t.start()

master.zone_wait(zone)
slave.zone_wait(zone)

slave.stop()

master.update_zonefile(
    zone, version=1)  # notify doesn't succeed while slave is offline
master.reload()

master.zone_wait(zone)

slave.start(
)  # slave starts with older version of zone and doesn't attempt refersh since it's in timers

slave.zone_wait(zone)
Пример #37
0

def writef(filename, contents):
    with open(filename, "w") as f:
        f.write(contents)


t = Test()

knot = t.server("knot")
ZONE = "example.com."
FUTURE = 55
TICK = 5
STARTUP = 10

zone = t.zone(ZONE)
t.link(zone, knot)

knot.zonefile_sync = 24 * 60 * 60

knot.dnssec(zone).enable = True
knot.dnssec(zone).manual = True
knot.dnssec(zone).alg = "ECDSAP384SHA384"
knot.dnssec(zone).dnskey_ttl = 2
knot.dnssec(zone).zone_max_ttl = 3
knot.dnssec(zone).zsk_lifetime = STARTUP + 6 * TICK  # see ksk1 lifetime
knot.dnssec(zone).ksk_lifetime = 300  # this can be possibly left also infinity
knot.dnssec(zone).propagation_delay = TICK - 2
knot.dnssec(zone).offline_ksk = "on"
knot.dnssec(zone).cds_publish = "rollover"
knot.dnssec(zone).rrsig_lifetime = 15
Пример #38
0
#!/usr/bin/env python3
'''Test for IXFR from Knot to Knot'''

from dnstest.test import Test

t = Test()

master = t.server("knot")
slave = t.server("knot")
zones = t.zone_rnd(5, records=50) + t.zone("records.")

t.link(zones, master, slave, ixfr=True)

if master.valgrind:
    master.tcp_io_timeout = 2000
    slave.tcp_remote_io_timeout = 8000

t.start()

# Wait for AXFR to slave server.
serials_init = master.zones_wait(zones)
slave.zones_wait(zones)

serials_prev = serials_init
for i in range(4):
    # Update zone files on master.
    for zone in zones:
        master.update_zonefile(zone, random=True)
    master.reload()

    # Wait for IXFR to slave.
Пример #39
0
    verify(master, zone, dnssec=True)

    # Delete and add NSEC3PARAM
    check_log("Delete and add NSEC3PARAM")
    up = master.update(zone)
    up.delete("ddns.", "NSEC3PARAM", "1 0 10 CAFEBABE")
    up.add("ddns.", "0", "NSEC3PARAM", "1 0 10 BADDCAFE")
    up.send("NOERROR")
    resp = master.dig("ddns", "NSEC3PARAM")
    resp.check(rcode="NOERROR", nordata="1 0 10 CAFEBABE")
    resp.check(rcode="NOERROR", rdata="1 0 10 BADDCAFE")
    verify(master, zone, dnssec=True)

    # Normal deletion tested in DNSSEC tests

zone = t.zone("ddns.", storage=".")

master_plain = t.server("knot")
t.link(zone, master_plain, ddns=True)

master_nsec = t.server("knot")
t.link(zone, master_nsec, ddns=True)
master_nsec.dnssec_enable = True
master_nsec.gen_key(zone, ksk=True, alg="RSASHA256")
master_nsec.gen_key(zone, alg="RSASHA256")

master_nsec3 = t.server("knot")
t.link(zone, master_nsec3, ddns=True)
master_nsec3.dnssec_enable = True
master_nsec3.enable_nsec3(zone)
master_nsec3.gen_key(zone, ksk=True, alg="RSASHA256")
Пример #40
0
#!/usr/bin/env python3
''' Check 'dnsproxy' query module functionality. '''

from dnstest.test import Test
from dnstest.module import ModDnsproxy
import dnstest.keys

t = Test(tsig=False)

ModDnsproxy.check()

# Initialize server configuration
zone_common1 = t.zone("test", storage=".", file_name="test.local_zone")
zone_common2 = t.zone("test", storage=".", file_name="test.remote_zone")
zone_local = t.zone_rnd(1)
zone_remote = t.zone_rnd(1)

key1 = dnstest.keys.Tsig(name="key1", alg="hmac-sha1", key="Zm9v")
local = t.server("knot", tsig=key1)
t.link(zone_common1, local)
t.link(zone_local, local)

key2 = dnstest.keys.Tsig(name="key2", alg="hmac-sha1", key="YmFy")
remote = t.server("knot", tsig=key2)
t.link(zone_common2, remote)
t.link(zone_remote, remote)


def fallback_checks(server, zone_local, zone_remote):
    # Local preferred OK, try with local TSIG.
    resp = server.dig("dns1.test", "A", tsig=key1)
Пример #41
0
#!/usr/bin/env python3
'''Test for signing a zone with weird records.'''

from dnstest.utils import *
from dnstest.test import Test

t = Test()

master = t.server("knot")
zone = t.zone("records.")
t.link(zone, master)
master.dnssec(zone).enable = True

t.start()

master.zone_wait(zone)

resp = master.dig("nxdomain.records", "A", udp=False, dnssec=True)
resp.check_auth_soa_ttl(dnssec=True)

resp = master.dig("mail.records.", "RRSIG", dnssec=True)
resp.check_count(1, rtype="RRSIG")

t.sleep(1)
master.flush()
t.sleep(1)

# Verify signed zone file.
master.zone_verify(zone)

t.stop()
Пример #42
0
#!/usr/bin/env python3

"""Test for AXFR from Bind to Knot"""

from dnstest.test import Test

t = Test()

master = t.server("bind")
slave = t.server("knot")
zones = t.zone_rnd(10) + t.zone(".") + t.zone("records.")

t.link(zones, master, slave)

t.start()

master.zones_wait(zones)
slave.zones_wait(zones)
t.xfr_diff(master, slave, zones)

t.end()
Пример #43
0
#!/usr/bin/env python3

'''Test for AXFR from Knot to Bind'''

from dnstest.test import Test

t = Test()

master = t.server("knot")
slave = t.server("bind")
zones = t.zone_rnd(10) + t.zone(".") + t.zone("wild.") + \
        t.zone("cname-loop.") + t.zone("records.")

t.link(zones, master, slave)

t.start()

master.zones_wait(zones)
slave.zones_wait(zones)
t.xfr_diff(master, slave, zones)

t.end()
Пример #44
0
#!/usr/bin/env python3
'''Test for empty rdata loading.'''

from dnstest.test import Test

t = Test()

master = t.server("knot")
slave = t.server("knot")
zone = t.zone("empty.", storage=".")

t.link(zone, master, slave)

t.start()

master.zones_wait(zone)
slave.zones_wait(zone)

slave.flush(wait=True)

t.end()
Пример #45
0
#!/usr/bin/env python3
'''Test for dropping of out of zone records during incoming XFR'''

from dnstest.test import Test

t = Test()

master = t.server("bind")
slave = t.server("knot")
zone = t.zone("out-of-zone.")

t.link(zone, master, slave)

t.start()

master.zones_wait(zone)
slave.zones_wait(zone)

t.xfr_diff(master, slave, zone)

t.end()
Пример #46
0
from dnstest.params import get_binary

# Find PROTOS binaries
protos_bin = [ "c09-dns-query-r1.jar", "c09-dns-zonetransfer-r1.jar" ]
protos_java_bin = get_binary("PROTOS_JAVA_BIN", "java")
protos_query_bin = get_binary("PROTOS_QUERY_BIN", protos_bin[0])
protos_zonetransfer_bin = get_binary("PROTOS_ZONETRANSFER_BIN", protos_bin[1])
if not protos_java_bin:
    raise Skip("Java not found")
if not protos_query_bin:
    raise Skip("'%s' PROTOS binary not found" % protos_bin[0])

t = Test(address=4, tsig=False) # PROTOS works on IPv4, no TSIG
master = t.server("dummy")
slave = t.server("knot")
zone = t.zone("protos.invalid.", exists=False)
t.link(zone, master, slave)

# Update configuration
t.start()

''' Run PROTOS test case with given parameters. '''
def protos_run(name, binfile, params):
    if not binfile:
        return
    check_call([protos_java_bin, "-jar", binfile] + params,
               stdout=open(master.fout, mode="w"), stderr=open(master.ferr, mode="w"))
    shutil.move(master.fout, master.fout + "." + name)
    shutil.move(master.ferr, master.ferr + "." + name)

# Evaluate parameters
Пример #47
0
#!/usr/bin/env python3

'''Test for IXFR from Knot to Bind'''

from dnstest.test import Test

t = Test()

master = t.server("knot")
slave = t.server("bind")
zones = t.zone_rnd(5, records=50) + t.zone("wild.") + \
        t.zone("cname-loop.") + t.zone("records.")

t.link(zones, master, slave, ixfr=True)

t.start()

# Wait for AXFR to slave server.
serials_init = master.zones_wait(zones)
slave.zones_wait(zones)

serials_prev = serials_init
for i in range(4):
    # Update zone files on master.
    for zone in zones:
        master.update_zonefile(zone, random=True)

    master.reload()
    t.sleep(5)

    # Wait for IXFR to slave.
Пример #48
0
def get_dnskeys(server, zones):
    return [
        str(server.dig(z.name, "DNSKEY").resp.answer[0].to_rdataset())
        for z in zones
    ]


def test_added(server, zones, results):
    for (z, res) in zip(zones, results):
        resp = server.dig("added.%s" % z.name, "A")
        resp.check(rcode=res)


t = Test()

zones = t.zone("example.", storage=".") + t.zone("serial.", storage=".")

master = t.server("knot")
slave = t.server("knot")

t.link(zones, master, slave)

for z in zones:
    if random.choice([True, False]):
        master.dnssec(z).enable = True
    else:
        master.add_module(z, ModOnlineSign())
    slave.zones[z.name].journal_content = "all"
    slave.zonefile_load = "none"

backup_dir = master.dir + "/backup"
Пример #49
0
    wait_for_rrsig_count(t, server, "DNSKEY", 1, 20)
    if before_keys < 2 or after_keys > 1:
        check_zone(server, zone, total_keys, 1, 1, 1,
                   desc + ": old key retired")
    # else skip the test as we have no control on KSK and ZSK retiring asynchronously

    wait_for_dnskey_count(t, server, after_keys, 20)
    check_zone(server, zone, after_keys, 1, 1, 1, desc + ": old key removed")


t = Test()

ModOnlineSign.check()

parent = t.server("knot")
parent_zone = t.zone("com.", storage=".")
t.link(parent_zone, parent)

child = t.server("knot")
child_zone = t.zone("example.com.")
t.link(child_zone, child)


def cds_submission():
    cds = child.dig(ZONE, "CDS")
    cds_rdata = cds.resp.answer[0].to_rdataset()[0].to_text()
    up = parent.update(parent_zone)
    up.add(ZONE, 3600, "DS", cds_rdata)
    up.send("NOERROR")

Пример #50
0
mail A     192.0.2.3
     AAAA  2001:DB8::3

new  A     1.1.1.%d"""

SERIALS = {
    "z1.": [0, 1, 2147483648, 4294967295, 0],
    "z2.": [0, 1, 2147483648, 4294967295, 1],
    "z3.": [0, 1, 2147483648, 4294967295, 2]
}

t = Test()

master = t.server("knot")
refer = t.server("bind")
zones = [t.zone(z, storage=t.zones_dir, exists=False)[0] for z in SERIALS]

for dname in SERIALS:
    sequence = SERIALS[dname]
    for index, serial in enumerate(sequence):
        fn = "%szone" % dname if index == 0 else "%szone.%d" % (dname, index)
        with open(os.path.join(t.zones_dir, fn), "w") as f:
            f.write(TEMPL % (dname, serial, index))

t.link(zones, master, ixfr=True)
t.link(zones, refer, ixfr=True)

t.start()

master.zones_wait(zones)
refer.zones_wait(zones)
Пример #51
0
        check_log("non-apex DNSKEY addition")
        up = master.update(zone)
        up.add(
            "nonapex.ddns.", "3600", "DNSKEY",
            "256 3 5 AwEAAbs0AlA6xWQn/lECfGt3S6TaeEmgJfEVVEMh06iNMNWMRHOfbqLF h3N52Ob7trmzlrzGlGLPnAZJvMB8lsFGC5CtaLUBD+4xCh5tl5QifZ+y o+MJvPGlVQI2cs7aMWV9CyFrRmuRcJaSZU2uBz9KFJ955UCq/WIy5KqS 7qaKLzzN"
        )
        up.send("NOERROR")
        resp = master.dig("nonapex.ddns.", "DNSKEY")
        resp.check(
            rcode="NOERROR",
            rdata=
            "256 3 5 AwEAAbs0AlA6xWQn/lECfGt3S6TaeEmgJfEVVEMh06iNMNWMRHOfbqLF h3N52Ob7trmzlrzGlGLPnAZJvMB8lsFGC5CtaLUBD+4xCh5tl5QifZ+y o+MJvPGlVQI2cs7aMWV9CyFrRmuRcJaSZU2uBz9KFJ955UCq/WIy5KqS 7qaKLzzN"
        )


zone = t.zone("ddns.", storage=".")

master_plain = t.server("knot")
t.link(zone, master_plain, ddns=True)

master_nsec = t.server("knot")
t.link(zone, master_nsec, ddns=True)
master_nsec.dnssec(zone).enable = True

master_nsec3 = t.server("knot")
t.link(zone, master_nsec3, ddns=True)
master_nsec3.dnssec(zone).enable = True
master_nsec3.dnssec(zone).nsec3 = True
master_nsec3.dnssec(zone).nsec3_opt_out = (random.random() < 0.5)

t.start()
Пример #52
0
Файл: test.py Проект: idtek/knot
from dnstest.test import Test
from dnstest.module import ModSynthRecord

t = Test()

ModSynthRecord.check()

# Zone indexes
FWD  = 0
REV4 = 1
REV6 = 2

# Initialize server configuration
knot = t.server("knot")
zone = t.zone("forward.", storage=".") + \
       t.zone("1.168.192.in-addr.arpa.", storage=".") + \
       t.zone("1.6.b.0.0.0.0.0.0.2.6.2.ip6.arpa.", storage=".")
t.link(zone, knot)

# Enable DNSSEC
knot.dnssec_enable = True
for z in zone:
    knot.gen_key(z, ksk=True, alg="RSASHA256")
    knot.gen_key(z, alg="RSASHA256")

# Configure 'synth_record' modules for auto forward/reverse zones
knot.add_module(zone[FWD],  ModSynthRecord("forward", None,        None,  "192.168.0.1"))
knot.add_module(zone[FWD],  ModSynthRecord("forward", "dynamic4-", "900", "192.168.1.0-192.168.1.127"))
knot.add_module(zone[FWD],  ModSynthRecord("forward", "dynamic6-", "900", "2620:0:b61::/52"))
knot.add_module(zone[REV4], ModSynthRecord("reverse", "dynamic4-", "900", "192.168.1.0/25", "forward."))
Пример #53
0
'''Test for NSEC and NSEC3 fix after zone update (ddns, ixfr)'''

from dnstest.utils import *
from dnstest.test import Test
from dnstest.keys import Keymgr
import random

t = Test()

master0 = t.server("knot")
master = t.server("knot")
slave = t.server("knot")
zones1 = t.zone_rnd(20, dnssec=False, records=1) + \
         t.zone_rnd(20, dnssec=False, records=10) + \
         t.zone_rnd(5, dnssec=False, records=100) + \
         t.zone("records.")
zone0 = t.zone("dk.", storage=".")
zones = zones1 + zone0

t.link(zone0, master0, master)
t.link(zones, master, slave)

master.disable_notify = True
slave.disable_notify = True

for zone in zones:
    master.dnssec(zone).enable = True
    master.dnssec(zone).nsec3 = random.choice([True, False])
    master.dnssec(zone).nsec3_iters = 2
    master.dnssec(zone).nsec3_salt_len = random.choice([0, 1, 9, 64, 128, 255])
    master.dnssec(zone).nsec3_opt_out = (random.random() < 0.5)
Пример #54
0
#!/usr/bin/env python3

'''Test for auto-rebootstrap if the slave zone file is invalid.'''

from dnstest.test import Test

t = Test()

master = t.server("bind")
slave = t.server("knot")

zone = t.zone("invalid.", storage=".")

t.link(zone, master, slave)

# Create invalid zone file.
slave.update_zonefile(zone, version=1)

t.start()

# Wait for zones and compare them.
master.zones_wait(zone)
slave.zones_wait(zone)
t.xfr_diff(master, slave, zone)

t.end()
Пример #55
0
#!/usr/bin/env python3
'''Test for reload of a changed zone (serial up, nochange, serial down).'''

from dnstest.test import Test
from dnstest.utils import set_err, detail_log
import random

t = Test()

master = t.server("knot")

# Zone setup
zone = t.zone("serial.", storage=".")

t.link(zone, master, ixfr=True)

t.start()

# Load zones
serial = master.zone_wait(zone)


def reload_zone(version, exp_serial, exp_version):
    master.update_zonefile(zone, version)

    if random.random() < 0.5:
        master.reload()
    else:
        master.ctl(random.choice(["-f", " "]) + " zone-reload " + zone[0].name,
                   wait=True)
Пример #56
0
#!/usr/bin/env python3

'''Test for mismatched TTLs handling on slave zone load.'''

'''NOTE: dnspython can't keep different TTLs in one rrset. So we can't check
         the slave server properly.'''

from dnstest.test import Test

t = Test()

master = t.server("dummy")
slave = t.server("knot")

zone = t.zone("ttl-mismatch.", storage=".", exists=False)

t.link(zone, master, slave)

# Create invalid zone file.
slave.update_zonefile(zone, version=1)

t.start()

# Check if the zone was loaded.
resp = slave.dig("ttl.ttl-mismatch.", "A")
resp.check(rcode="NOERROR", flags="QR AA", noflags="TC AD RA")

t.end()
Пример #57
0
    check_log("ZONE SOA TIMERS: REFRESH = 1, RETRY = 20, EXPIRE = 10")
    master.update_zonefile(zone, version=2)
    init_servers(master, slave)
    test_run_case(t, master, slave, action)


def reload_server(t, s):
    s.reload()
    t.sleep(1)


def restart_server(t, s):
    s.stop()
    s.start()


t = Test()

zone = t.zone("example.", storage=".")
servers = create_servers(t, 2, zone)

t.start()

check_log("/// ACTION RELOAD ///")
test_run(t, servers[0], zone, reload_server)
check_log("/// ACTION RESTART ///")
test_run(t, servers[1], zone, restart_server)

t.stop()
Пример #58
0
#!/usr/bin/env python3

'''Test for AXFR-style IXFR'''

from dnstest.test import Test
import os

t = Test(tsig=False)

master = t.server("knot")
slave = t.server("knot")
zone = t.zone("xfr", storage=".")

t.link(zone, master, slave)

t.start()

serial = master.zone_wait(zone)

# update zone with small change
master.update_zonefile(zone, version=1)
master.reload()
master.zone_wait(zone, serial)

# check that master properly sends AXFR-style IXFR
t.check_axfr_style_ixfr(master, "xfr", serial)

serial = slave.zone_wait(zone, serial)

t.xfr_diff(master, slave, zone)