interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update dnssec-validate. Check we can retrieve info for bogus domain, and remove must use TCP flag. 

Run a second query with the CD bit set and check that succeeds.
This commit is contained in:
Jim Hague 2018-01-17 13:01:29 +00:00
parent 3fd4f7f240
commit 62ad159f15
1 changed files with 68 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
src/tools/getdns_server_mon.c
View File

@ -385,17 +385,21 @@ static exit_value get_name_type_args(const struct test_info_s *test_info,
static exit_value search(const struct test_info_s *test_info, static exit_value search(const struct test_info_s *test_info,
const char *name, const char *name,
uint16_t type, uint16_t type,
getdns_dict *extensions,
getdns_dict **response) getdns_dict **response)
{ {
getdns_return_t ret; getdns_return_t ret;
getdns_dict *extensions = getdns_dict_create(); getdns_dict *search_extensions =
(extensions) ? extensions : getdns_dict_create();
if ((ret = getdns_dict_set_int(extensions, "return_call_reporting", GETDNS_EXTENSION_TRUE)) != GETDNS_RETURN_GOOD) { /* We always turn on the return_call_reporting extension. */
if ((ret = getdns_dict_set_int(search_extensions, "return_call_reporting", GETDNS_EXTENSION_TRUE)) != GETDNS_RETURN_GOOD) {
fprintf(test_info->errout, fprintf(test_info->errout,
"Cannot set return call reporting: %s (%d)", "Cannot set return call reporting: %s (%d)",
getdns_get_errorstr_by_id(ret), getdns_get_errorstr_by_id(ret),
ret); ret);
getdns_dict_destroy(extensions); if (!extensions)
getdns_dict_destroy(search_extensions);
return EXIT_UNKNOWN; return EXIT_UNKNOWN;
} }
@ -408,9 +412,10 @@ static exit_value search(const struct test_info_s *test_info,
ret = getdns_general_sync(test_info->context, ret = getdns_general_sync(test_info->context,
name, name,
type, type,
extensions, search_extensions,
response); response);
getdns_dict_destroy(extensions); if (!extensions)
getdns_dict_destroy(search_extensions);
if (ret != GETDNS_RETURN_GOOD) { if (ret != GETDNS_RETURN_GOOD) {
fprintf(test_info->errout, fprintf(test_info->errout,
"Error resolving '%s': %s (%d)", "Error resolving '%s': %s (%d)",
@ -689,7 +694,7 @@ static exit_value search_check(const struct test_info_s *test_info,
exit_value xit; exit_value xit;
getdns_dict *resp; getdns_dict *resp;
if ((xit = search(test_info, lookup_name, lookup_type, &resp)) != EXIT_OK) if ((xit = search(test_info, lookup_name, lookup_type, NULL, &resp)) != EXIT_OK)
return xit; return xit;
if ((xit = check_result(test_info, resp)) != EXIT_OK) if ((xit = check_result(test_info, resp)) != EXIT_OK)
@ -1164,34 +1169,73 @@ static exit_value test_dnssec_validate(const struct test_info_s *test_info,
if ((xit = search(test_info, if ((xit = search(test_info,
"dnssec-failed.org", "dnssec-failed.org",
GETDNS_RRTYPE_A, GETDNS_RRTYPE_A,
NULL,
&response)) != EXIT_OK) &response)) != EXIT_OK)
return xit; return xit;
if ((xit = get_report_info(test_info, response, NULL, NULL, NULL)) != EXIT_OK)
return xit;
uint32_t error_id, rcode; uint32_t error_id, rcode;
if ((xit = get_result(test_info, response, &error_id, &rcode)) != EXIT_OK) if ((xit = get_result(test_info, response, &error_id, &rcode)) != EXIT_OK)
return xit; return xit;
switch(error_id) { if (error_id == GETDNS_RESPSTATUS_ALL_TIMEOUT) {
case GETDNS_RESPSTATUS_ALL_TIMEOUT:
fputs("Search timed out", test_info->errout); fputs("Search timed out", test_info->errout);
return EXIT_CRITICAL; return EXIT_CRITICAL;
case GETDNS_RESPSTATUS_NO_SECURE_ANSWERS:
case GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS:
case GETDNS_RESPSTATUS_NO_NAME:
fputs("Server validates DNSSEC", test_info->errout);
return EXIT_OK;
default:
break;
} }
fputs("Server does NOT validate DNSSEC", test_info->errout); if (rcode != GETDNS_RCODE_SERVFAIL) {
return EXIT_CRITICAL; fputs("Server does NOT validate DNSSEC", test_info->errout);
return EXIT_CRITICAL;
}
/*
* Rerun the query, but this time set the CD bit. The lookup should
* succeed.
*/
getdns_return_t ret;
getdns_dict *response2;
getdns_dict *extensions = getdns_dict_create();
if ((ret = getdns_dict_set_int(extensions, "/header/cd", 1)) != GETDNS_RETURN_GOOD) {
fprintf(test_info->errout,
"Cannot set CD bit: %s (%d)",
getdns_get_errorstr_by_id(ret),
ret);
getdns_dict_destroy(extensions);
return EXIT_UNKNOWN;
}
if ((xit = search(test_info,
"dnssec-failed.org",
GETDNS_RRTYPE_A,
extensions,
&response2)) != EXIT_OK)
return xit;
getdns_dict_destroy(extensions);
/*
* Only now get report info from the first search, so that any
* verbose output appears after the context/reponse dumps.
*/
if ((xit = get_report_info(test_info, response, NULL, NULL, NULL)) != EXIT_OK)
return xit;
if ((xit = get_result(test_info, response2, &error_id, &rcode)) != EXIT_OK)
return xit;
if (error_id == GETDNS_RESPSTATUS_ALL_TIMEOUT) {
fputs("Search timed out", test_info->errout);
return EXIT_CRITICAL;
}
if (error_id != GETDNS_RESPSTATUS_GOOD || rcode != GETDNS_RCODE_NOERROR) {
fputs("Server error - cannot determine DNSSEC status", test_info->errout);
return EXIT_UNKNOWN;
}
fputs("Server validates DNSSEC", test_info->errout);
return EXIT_OK;
} }
static struct test_funcs_s static struct test_funcs_s
@ -1209,7 +1253,7 @@ static struct test_funcs_s
{ "tls-cert-valid", true, false, test_certificate_valid }, { "tls-cert-valid", true, false, test_certificate_valid },
{ "tls-padding", true, false, test_padding }, { "tls-padding", true, false, test_padding },
{ "keepalive", false, true, test_keepalive }, { "keepalive", false, true, test_keepalive },
{ "dnssec-validate", false, true, test_dnssec_validate }, { "dnssec-validate", false, false, test_dnssec_validate },
{ NULL, false, false, NULL } { NULL, false, false, NULL }
}; };
@ -1471,6 +1515,7 @@ int main(int ac, char *av[])
break; break;
default: default:
/* ??? is a trigraph... */
fputs(" (\?\?\?)", test_info.errout); fputs(" (\?\?\?)", test_info.errout);
break; break;
} }