goresolver/trustanchor_test.go at master · peterzen/goresolver · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
package goresolver

import (
	"testing"

	"github.com/miekg/dns"
)

func TestNewTrustAnchor(t *testing.T) {
	ta, err := NewTrustAnchor()
	if err != nil {
		t.Fatalf("NewTrustAnchor failed: %v", err)
	}
	if ta == nil {
		t.Fatal("NewTrustAnchor returned nil")
	}
	if len(ta.dnskeys) == 0 {
		t.Fatal("NewTrustAnchor should have at least one trust anchor")
	}

	// Verify that KSK-2017 (key tag 20326) is present
	foundKSK := false
	for _, key := range ta.dnskeys {
		if key.KeyTag() == 20326 {
			foundKSK = true
			// Verify it's a KSK (Key Signing Key)
			if key.Flags != 257 {
				t.Errorf("Expected KSK flag 257, got %d", key.Flags)
			}
			// Verify algorithm is RSA/SHA-256 (8)
			if key.Algorithm != 8 {
				t.Errorf("Expected algorithm 8, got %d", key.Algorithm)
			}
		}
	}
	if !foundKSK {
		t.Error("KSK-2017 (key tag 20326) not found in trust anchors")
	}
}

func TestVerifyRootZone_Valid(t *testing.T) {
	ta, err := NewTrustAnchor()
	if err != nil {
		t.Fatalf("NewTrustAnchor failed: %v", err)
	}

	// Create a mock root zone with the correct KSK
	rootZone := &SignedZone{
		zone:         ".",
		dnskey:       &RRSet{rrSet: []dns.RR{ta.dnskeys[0]}},
		ds:           &RRSet{},
		pubKeyLookup: make(map[uint16]*dns.DNSKEY),
	}

	// Add the trust anchor key to the root zone
	for _, key := range ta.dnskeys {
		rootZone.addPubKey(key)
	}

	err = ta.VerifyRootZone(*rootZone)
	if err != nil {
		t.Errorf("VerifyRootZone should succeed with matching trust anchor, got: %v", err)
	}
}

func TestVerifyRootZone_Invalid(t *testing.T) {
	ta, err := NewTrustAnchor()
	if err != nil {
		t.Fatalf("NewTrustAnchor failed: %v", err)
	}

	// Create a fake DNSKEY
	fakeKey := &dns.DNSKEY{
		Hdr: dns.RR_Header{
			Name:   ".",
			Rrtype: dns.TypeDNSKEY,
			Class:  dns.ClassINET,
		},
		Flags:     257,
		Protocol:  3,
		Algorithm: 8,
		PublicKey: "FakeKeyDataThatDoesNotMatchTrustAnchor==",
	}

	// Create a mock root zone with a different (wrong) key
	rootZone := &SignedZone{
		zone:         ".",
		dnskey:       &RRSet{rrSet: []dns.RR{fakeKey}},
		ds:           &RRSet{},
		pubKeyLookup: make(map[uint16]*dns.DNSKEY),
	}
	rootZone.addPubKey(fakeKey)

	err = ta.VerifyRootZone(*rootZone)
	if err != ErrRootZoneNotTrusted {
		t.Errorf("VerifyRootZone should fail with wrong key, expected ErrRootZoneNotTrusted, got: %v", err)
	}
}

func TestVerifyRootZone_NotRootZone(t *testing.T) {
	ta, err := NewTrustAnchor()
	if err != nil {
		t.Fatalf("NewTrustAnchor failed: %v", err)
	}

	// Try to verify a non-root zone
	zone := &SignedZone{
		zone:         "example.com.",
		dnskey:       &RRSet{},
		ds:           &RRSet{},
		pubKeyLookup: make(map[uint16]*dns.DNSKEY),
	}

	err = ta.VerifyRootZone(*zone)
	if err == nil || err.Error() != "not a root zone" {
		t.Errorf("VerifyRootZone should fail for non-root zone, got: %v", err)
	}
}

func TestKeysMatch(t *testing.T) {
	key1 := &dns.DNSKEY{
		Flags:     257,
		Protocol:  3,
		Algorithm: 8,
		PublicKey: "TestKeyData",
	}

	key2 := &dns.DNSKEY{
		Flags:     257,
		Protocol:  3,
		Algorithm: 8,
		PublicKey: "TestKeyData",
	}

	key3 := &dns.DNSKEY{
		Flags:     257,
		Protocol:  3,
		Algorithm: 8,
		PublicKey: "DifferentKeyData",
	}

	if !keysMatch(key1, key2) {
		t.Error("keysMatch should return true for identical keys")
	}

	if keysMatch(key1, key3) {
		t.Error("keysMatch should return false for different keys")
	}
}