knot-dns/tests-extra/tests/modules/dnsproxy/test.py

#!/usr/bin/env python3

''' Check 'dnsproxy' query module functionality. '''

from dnstest.test import Test
from dnstest.keys import Tsig
from dnstest.module import ModDnsproxy
import dnstest.keys

TSIG = Tsig() # Use the same TSIG key for all communication.
t = Test(tsig=TSIG)

ModDnsproxy.check()

def is_subzone(subzone, zone):
    """Tests if the first zone is a subzone of the second one or equal, case insensitive."""
    return subzone.name.lower().endswith(zone.name.lower())

# Initialize server configuration
zone_common1 = t.zone("test", storage=".", file_name="test.local_zone")
zone_common2 = t.zone("test", storage=".", file_name="test.remote_zone")
while True:
    zone_local = t.zone_rnd(1)
    if not is_subzone(zone_local[0], zone_common1[0]):
        break
while True:
    zone_remote = t.zone_rnd(1)
    if not is_subzone(zone_remote[0], zone_common2[0]):
        break

local = t.server("knot", tsig=TSIG)
t.link(zone_common1, local)
t.link(zone_local, local)

remote = t.server("knot", tsig=TSIG)
t.link(zone_common2, remote)
t.link(zone_remote, remote)

if local.valgrind:
    local.semantic_check = False
    remote.semantic_check = False

def fallback_checks(server, zone_local, zone_remote, nxdomain):
    # Local preferred OK, try with local TSIG.
    resp = server.dig("dns1.test", "A", tsig=True)
    resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.1", nordata="192.0.2.2")

    # Local record OK.
    resp = server.dig("local.test", "A")
    resp.check(rcode="NOERROR", flags="AA", rdata="1.1.1.1")

    # Local OK.
    resp = server.dig(zone_local.name, "SOA")
    resp.check(rcode="NOERROR", flags="AA")

    # Remote OK.
    resp = server.dig(zone_remote.name, "SOA", tsig=True)
    if (is_subzone(zone_remote, zone_local) and not nxdomain):
        resp.check(rcode="NXDOMAIN", flags="AA")
    else:
        resp.check(rcode="NOERROR", flags="AA")

    # Remote NOK, not existing zone.
    resp = server.dig("z-o-n-e.", "SOA")
    resp.check(rcode="REFUSED", noflags="AA")

    # Local XFR OK.
    resp = server.dig("test", "AXFR", tsig=True)
    resp.check_xfr(rcode="NOERROR")

    # Remote XFR not possible in the fallback mode - not authoritative.
    resp = server.dig(zone_remote.name, "AXFR")
    resp.check_xfr(rcode="NOTAUTH")

t.start()

remote.zone_wait(zone_common2)

### No fallback

# Only after successful start the remote address is known!
local.add_module(None, ModDnsproxy(remote.addr, remote.port, fallback=False))
local.gen_confile()
local.reload()

# Remote OK, try with remote TSIG.
resp = local.dig("dns1.test", "A", tsig=True)
resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.2", nordata="192.0.2.1")

# Remote XFR OK.
resp = local.dig("test", "AXFR", tsig=True)
resp.check_xfr(rcode="NOERROR")

# Local record NOK.
resp = local.dig("local.test", "A")
resp.check(rcode="NXDOMAIN", flags="AA")

# Remote record OK.
resp = local.dig("remote.test", "A")
resp.check(rcode="NOERROR", flags="AA", rdata="1.1.1.2")

# Local NOK, unknown zone.
resp = local.dig(zone_local[0].name, "SOA")
resp.check(rcode="REFUSED", noflags="AA")

# Remote OK.
resp = local.dig(zone_remote[0].name, "SOA")
resp.check(rcode="NOERROR", flags="AA")

# Remote AXFR OK.
resp = local.dig(zone_remote[0].name, "AXFR", tsig=True)
resp.check_xfr(rcode="NOERROR")

# Remote NOK, not existing owner.
resp = local.dig("u-n-k-n-o-w-n." + zone_remote[0].name, "A")
resp.check(rcode="NXDOMAIN", flags="AA")

# Remote NOK, unknown zone.
resp = local.dig("z-o-n-e.", "SOA")
resp.check(rcode="REFUSED", noflags="AA")

### Fallback, no nxdomain

local.clear_modules(None)
local.add_module(None, ModDnsproxy(remote.addr, remote.port, fallback=True, nxdomain=False))
local.gen_confile()
local.reload()

fallback_checks(local, zone_local[0], zone_remote[0], nxdomain=False)

# Local NOK, not forwarded.
resp = local.dig("remote.test", "A")
resp.check(rcode="NXDOMAIN", flags="AA")

### Fallback, nxdomain

local.clear_modules(None)
local.add_module(None, ModDnsproxy(remote.addr, remote.port, fallback=True, nxdomain=True))
local.gen_confile()
local.reload()

fallback_checks(local, zone_local[0], zone_remote[0], nxdomain=True)

# Local NOK, but forwarded OK.
resp = local.dig("remote.test", "A")
resp.check(rcode="NOERROR", flags="AA", rdata="1.1.1.2")

# Remote not available, responded locally.
remote.stop()
resp = local.dig("remote.test", "A")
resp.check(rcode="NXDOMAIN", flags="AA")
remote.start()

### Per zone, fallback

local.clear_modules(None)
local.add_module(zone_common1[0], ModDnsproxy(remote.addr, remote.port, fallback=False))
local.gen_confile()
local.reload()

# Remote OK.
resp = local.dig("dns1.test", "A")
resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.2", nordata="192.0.2.1")

# Remote NOK, not forwarded.
resp = local.dig(zone_remote[0].name, "SOA")
if not is_subzone(zone_remote[0], zone_local[0]):
    resp.check(rcode="REFUSED", noflags="AA")
else:
    resp.check(rcode="NXDOMAIN", flags="AA")

# Remote not available, responded locally.
remote.stop()
resp = local.dig("dns1.test", "A")
resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.1", nordata="192.0.2.2")

t.end()
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00			`#!/usr/bin/env python3`

			`''' Check 'dnsproxy' query module functionality. '''`

			`from dnstest.test import Test`
dnsproxy: fix TSIG handling 2024-08-23 04:27:16 -04:00			`from dnstest.keys import Tsig`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00			`from dnstest.module import ModDnsproxy`
dnsproxy: forward with TSIG if not fallback mode 2017-02-03 07:53:44 -05:00			`import dnstest.keys`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
dnsproxy: fix TSIG handling 2024-08-23 04:27:16 -04:00			`TSIG = Tsig() # Use the same TSIG key for all communication.`
			`t = Test(tsig=TSIG)`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
			`ModDnsproxy.check()`

tests-extra: modules/dnsproxy -- avoid possible random-zone name collisions as subzones 2024-09-02 12:00:14 -04:00			`def is_subzone(subzone, zone):`
			`"""Tests if the first zone is a subzone of the second one or equal, case insensitive."""`
			`return subzone.name.lower().endswith(zone.name.lower())`

tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00			`# Initialize server configuration`
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`zone_common1 = t.zone("test", storage=".", file_name="test.local_zone")`
			`zone_common2 = t.zone("test", storage=".", file_name="test.remote_zone")`
tests-extra: modules/dnsproxy -- avoid possible random-zone name collisions 2024-08-06 03:53:55 -04:00			`while True:`
			`zone_local = t.zone_rnd(1)`
tests-extra: modules/dnsproxy -- avoid possible random-zone name collisions as subzones 2024-09-02 12:00:14 -04:00			`if not is_subzone(zone_local[0], zone_common1[0]):`
tests-extra: remove superfluous C-style semicolons from Python code 2024-12-18 06:51:03 -05:00			`break`
tests-extra: modules/dnsproxy -- avoid possible random-zone name collisions 2024-08-06 03:53:55 -04:00			`while True:`
			`zone_remote = t.zone_rnd(1)`
tests-extra: modules/dnsproxy -- avoid possible random-zone name collisions as subzones 2024-09-02 12:00:14 -04:00			`if not is_subzone(zone_remote[0], zone_common2[0]):`
tests-extra: remove superfluous C-style semicolons from Python code 2024-12-18 06:51:03 -05:00			`break`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
dnsproxy: fix TSIG handling 2024-08-23 04:27:16 -04:00			`local = t.server("knot", tsig=TSIG)`
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`t.link(zone_common1, local)`
			`t.link(zone_local, local)`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
dnsproxy: fix TSIG handling 2024-08-23 04:27:16 -04:00			`remote = t.server("knot", tsig=TSIG)`
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`t.link(zone_common2, remote)`
			`t.link(zone_remote, remote)`

tests: fix fail with slow semcheck of DNSSEC with valgrind 2022-06-08 13:55:23 -04:00			`if local.valgrind:`
			`local.semantic_check = False`
			`remote.semantic_check = False`

tests-extra: modules/dnsproxy -- test well even in case of conflicting zones This change handles the situation when the remote zone is a subzone of the local zone 2022-01-21 11:36:28 -05:00			`def fallback_checks(server, zone_local, zone_remote, nxdomain):`
dnsproxy: forward with TSIG if not fallback mode 2017-02-03 07:53:44 -05:00			`# Local preferred OK, try with local TSIG.`
tests-extra/dnsproxy: adapt to new configuration - use one common TSIG key instead of two ones This is a slight simplification of the test. 2022-05-03 13:34:03 -04:00			`resp = server.dig("dns1.test", "A", tsig=True)`
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.1", nordata="192.0.2.2")`

			`# Local record OK.`
			`resp = server.dig("local.test", "A")`
			`resp.check(rcode="NOERROR", flags="AA", rdata="1.1.1.1")`

			`# Local OK.`
			`resp = server.dig(zone_local.name, "SOA")`
			`resp.check(rcode="NOERROR", flags="AA")`

dnsproxy: fix TSIG handling 2024-08-23 04:27:16 -04:00			`# Remote OK.`
tests-extra/dnsproxy: adapt to new configuration - use one common TSIG key instead of two ones This is a slight simplification of the test. 2022-05-03 13:34:03 -04:00			`resp = server.dig(zone_remote.name, "SOA", tsig=True)`
tests-extra: modules/dnsproxy -- test well even in case of conflicting zones This change handles the situation when the remote zone is a subzone of the local zone 2022-01-21 11:36:28 -05:00			`if (is_subzone(zone_remote, zone_local) and not nxdomain):`
			`resp.check(rcode="NXDOMAIN", flags="AA")`
			`else:`
			`resp.check(rcode="NOERROR", flags="AA")`
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00
			`# Remote NOK, not existing zone.`
			`resp = server.dig("z-o-n-e.", "SOA")`
			`resp.check(rcode="REFUSED", noflags="AA")`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
dnsproxy: forward with TSIG if not fallback mode 2017-02-03 07:53:44 -05:00			`# Local XFR OK.`
tests-extra/dnsproxy: adapt to new configuration - use one common TSIG key instead of two ones This is a slight simplification of the test. 2022-05-03 13:34:03 -04:00			`resp = server.dig("test", "AXFR", tsig=True)`
dnsproxy: forward with TSIG if not fallback mode 2017-02-03 07:53:44 -05:00			`resp.check_xfr(rcode="NOERROR")`

dnsproxy: fix TSIG handling 2024-08-23 04:27:16 -04:00			`# Remote XFR not possible in the fallback mode - not authoritative.`
dnsproxy: forward with TSIG if not fallback mode 2017-02-03 07:53:44 -05:00			`resp = server.dig(zone_remote.name, "AXFR")`
			`resp.check_xfr(rcode="NOTAUTH")`

tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00			`t.start()`

dnsproxy: forward with TSIG if not fallback mode 2017-02-03 07:53:44 -05:00			`remote.zone_wait(zone_common2)`

dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`### No fallback`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`# Only after successful start the remote address is known!`
			`local.add_module(None, ModDnsproxy(remote.addr, remote.port, fallback=False))`
			`local.gen_confile()`
			`local.reload()`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
dnsproxy: forward with TSIG if not fallback mode 2017-02-03 07:53:44 -05:00			`# Remote OK, try with remote TSIG.`
tests-extra/dnsproxy: adapt to new configuration - use one common TSIG key instead of two ones This is a slight simplification of the test. 2022-05-03 13:34:03 -04:00			`resp = local.dig("dns1.test", "A", tsig=True)`
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.2", nordata="192.0.2.1")`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
dnsproxy: forward with TSIG if not fallback mode 2017-02-03 07:53:44 -05:00			`# Remote XFR OK.`
tests-extra/dnsproxy: adapt to new configuration - use one common TSIG key instead of two ones This is a slight simplification of the test. 2022-05-03 13:34:03 -04:00			`resp = local.dig("test", "AXFR", tsig=True)`
dnsproxy: forward with TSIG if not fallback mode 2017-02-03 07:53:44 -05:00			`resp.check_xfr(rcode="NOERROR")`

dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`# Local record NOK.`
			`resp = local.dig("local.test", "A")`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00			`resp.check(rcode="NXDOMAIN", flags="AA")`

dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`# Remote record OK.`
			`resp = local.dig("remote.test", "A")`
			`resp.check(rcode="NOERROR", flags="AA", rdata="1.1.1.2")`

			`# Local NOK, unknown zone.`
			`resp = local.dig(zone_local[0].name, "SOA")`
			`resp.check(rcode="REFUSED", noflags="AA")`

			`# Remote OK.`
			`resp = local.dig(zone_remote[0].name, "SOA")`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00			`resp.check(rcode="NOERROR", flags="AA")`

dnsproxy: fix TSIG handling 2024-08-23 04:27:16 -04:00			`# Remote AXFR OK.`
			`resp = local.dig(zone_remote[0].name, "AXFR", tsig=True)`
			`resp.check_xfr(rcode="NOERROR")`

dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`# Remote NOK, not existing owner.`
			`resp = local.dig("u-n-k-n-o-w-n." + zone_remote[0].name, "A")`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00			`resp.check(rcode="NXDOMAIN", flags="AA")`

dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`# Remote NOK, unknown zone.`
			`resp = local.dig("z-o-n-e.", "SOA")`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00			`resp.check(rcode="REFUSED", noflags="AA")`

dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`### Fallback, no nxdomain`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`local.clear_modules(None)`
			`local.add_module(None, ModDnsproxy(remote.addr, remote.port, fallback=True, nxdomain=False))`
			`local.gen_confile()`
			`local.reload()`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
tests-extra: modules/dnsproxy -- test well even in case of conflicting zones This change handles the situation when the remote zone is a subzone of the local zone 2022-01-21 11:36:28 -05:00			`fallback_checks(local, zone_local[0], zone_remote[0], nxdomain=False)`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`# Local NOK, not forwarded.`
			`resp = local.dig("remote.test", "A")`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00			`resp.check(rcode="NXDOMAIN", flags="AA")`

dnsproxy: forward with TSIG if not fallback mode 2017-02-03 07:53:44 -05:00			`### Fallback, nxdomain`
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00
			`local.clear_modules(None)`
			`local.add_module(None, ModDnsproxy(remote.addr, remote.port, fallback=True, nxdomain=True))`
			`local.gen_confile()`
			`local.reload()`

tests-extra: modules/dnsproxy -- test well even in case of conflicting zones This change handles the situation when the remote zone is a subzone of the local zone 2022-01-21 11:36:28 -05:00			`fallback_checks(local, zone_local[0], zone_remote[0], nxdomain=True)`
dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00
			`# Local NOK, but forwarded OK.`
			`resp = local.dig("remote.test", "A")`
			`resp.check(rcode="NOERROR", flags="AA", rdata="1.1.1.2")`

mod-dnsproxy: don't return SERVFAIL if forwarding failed, respond locally 2023-12-05 14:36:12 -05:00			`# Remote not available, responded locally.`
			`remote.stop()`
			`resp = local.dig("remote.test", "A")`
			`resp.check(rcode="NXDOMAIN", flags="AA")`
			`remote.start()`

dnsproxy: add non-fallback mode 2017-01-26 15:13:29 -05:00			`### Per zone, fallback`

			`local.clear_modules(None)`
			`local.add_module(zone_common1[0], ModDnsproxy(remote.addr, remote.port, fallback=False))`
			`local.gen_confile()`
			`local.reload()`

			`# Remote OK.`
			`resp = local.dig("dns1.test", "A")`
			`resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.2", nordata="192.0.2.1")`

			`# Remote NOK, not forwarded.`
			`resp = local.dig(zone_remote[0].name, "SOA")`
tests-extra: modules/dnsproxy -- test well even in case of conflicting zones This change handles the situation when the remote zone is a subzone of the local zone 2022-01-21 11:36:28 -05:00			`if not is_subzone(zone_remote[0], zone_local[0]):`
			`resp.check(rcode="REFUSED", noflags="AA")`
			`else:`
			`resp.check(rcode="NXDOMAIN", flags="AA")`
tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00
mod-dnsproxy: don't return SERVFAIL if forwarding failed, respond locally 2023-12-05 14:36:12 -05:00			`# Remote not available, responded locally.`
			`remote.stop()`
			`resp = local.dig("dns1.test", "A")`
			`resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.1", nordata="192.0.2.2")`

tests-extra: add dnsproxy test 2015-07-31 08:04:15 -04:00			`t.end()`