mirror of
https://github.com/coredns/coredns.git
synced 2025-10-31 16:21:58 +01:00
a53321d9d6
Don't sign data we are not authoritative for. This adds an AuthWalk which skips names we should not authoritative for. Adds a few tests to check this is the case. Generates zones have been compared to dnssec-signzone. A number of changes have been made: * don't add DS records to the apex * NSEC TTL is the SOA's minttl value (copying bind9) * Various cleanups * signer struct was cleaned up: doesn't need ttl, nor expiration or inception. * plugin/sign: remove apex stuff from names() This is never used because we will always have other types in the apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and CDNSKEY). Signed-off-by: Miek Gieben <miek@miek.nl> Co-Authored-By: Chris O'Haver <cohaver@infoblox.com>
41 lines
1.6 KiB
Go
41 lines
1.6 KiB
Go
package sign
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestResignInception(t *testing.T) {
|
|
then := time.Date(2019, 7, 18, 22, 50, 0, 0, time.UTC)
|
|
// signed yesterday
|
|
zr := strings.NewReader(`miek.nl. 1800 IN RRSIG SOA 13 2 1800 20190808191936 20190717161936 59725 miek.nl. eU6gI1OkSEbyt`)
|
|
if x := resign(zr, then); x != nil {
|
|
t.Errorf("Expected RRSIG to be valid for %s, got invalid: %s", then.Format(timeFmt), x)
|
|
}
|
|
// inception starts after this date.
|
|
zr = strings.NewReader(`miek.nl. 1800 IN RRSIG SOA 13 2 1800 20190808191936 20190731161936 59725 miek.nl. eU6gI1OkSEbyt`)
|
|
if x := resign(zr, then); x == nil {
|
|
t.Errorf("Expected RRSIG to be invalid for %s, got valid", then.Format(timeFmt))
|
|
}
|
|
}
|
|
|
|
func TestResignExpire(t *testing.T) {
|
|
then := time.Date(2019, 7, 18, 22, 50, 0, 0, time.UTC)
|
|
// expires tomorrow
|
|
zr := strings.NewReader(`miek.nl. 1800 IN RRSIG SOA 13 2 1800 20190717191936 20190717161936 59725 miek.nl. eU6gI1OkSEbyt`)
|
|
if x := resign(zr, then); x == nil {
|
|
t.Errorf("Expected RRSIG to be invalid for %s, got valid", then.Format(timeFmt))
|
|
}
|
|
// expire too far away
|
|
zr = strings.NewReader(`miek.nl. 1800 IN RRSIG SOA 13 2 1800 20190731191936 20190717161936 59725 miek.nl. eU6gI1OkSEbyt`)
|
|
if x := resign(zr, then); x != nil {
|
|
t.Errorf("Expected RRSIG to be valid for %s, got invalid: %s", then.Format(timeFmt), x)
|
|
}
|
|
// expired yesterday
|
|
zr = strings.NewReader(`miek.nl. 1800 IN RRSIG SOA 13 2 1800 20190721191936 20190717161936 59725 miek.nl. eU6gI1OkSEbyt`)
|
|
if x := resign(zr, then); x == nil {
|
|
t.Errorf("Expected RRSIG to be invalid for %s, got valid", then.Format(timeFmt))
|
|
}
|
|
}
|