zonemaster-ldns/t/dnssec.t

use Test::More;

BEGIN { use_ok( 'Zonemaster::LDNS' ); }

my $key1 = Zonemaster::LDNS::RR->new(
"iis.se.	2395	IN	DNSKEY	257 3 5 AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC 3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMw Q4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk="
);
my $key2 = Zonemaster::LDNS::RR->new(
"iis.se.	1591	IN	DNSKEY	256 3 5 BQEAAAABuWpCewwMRD7yPzy6TGsymMAc82IHVGB+vjKVIAYKbPG7QxuLEtEzUxDJo09gLN2/N0OF+NnTkmDMj8KA+eIgtqmMuq5kdDVc+eSNLJZ0 am0o27UEkXmW20iV0d6B/KW1X1nufzBSaacUzkBKyDfK4cN3aVsYIDXT H7Jw1agEzrM="
);
my $soa = Zonemaster::LDNS::RR->new( "iis.se.	3600	IN	SOA	ns.nic.se. hostmaster.iis.se. 1384853101 10800 3600 1814400 14400" );
my $sig = Zonemaster::LDNS::RR->new(
"iis.se.	3600	IN	RRSIG	SOA 5 2 3600 20131129082501 20131119082501 59213 iis.se. ShhhfRT82jfA/J1AAqiie/4r7JuiYOpK6dIwugOtlf0/UpVsOYEIukpe Bq9i7fsa0GNWz/o9gqF8DnsCHzgxZnAngTrJpZAlsrC/FP/6v8WfnFsP LDw9g6Ow8Z6TL9JmZr22YPp27Rwujdb5AnzdurEvQxIAqW66CCCy2pc9 //s="
);

is( $sig->keytag, $key2->keytag );

ok( !$sig->verify( [$soa], [ $key1, $key2 ] ), 'Signature does not verify (expired).' );
ok( !$sig->verify( [$soa], [$key1] ), 'Signature does not verify (wrong key).' );

is(
    $sig->verify_str( [$soa], [ $key1, $key2 ] ),
    'DNSSEC signature has expired',
    'Expected unsuccessful verification message.'
);
is(
    $sig->verify_str( [$soa], [$key1] ),
    'No keys with the keytag and algorithm from the RRSIG found',
    'Expected unsuccessful verification message.'
);

my $msg = '';
my $res = $sig->verify_time( [$soa], [ $key1, $key2 ], 1385628478, $msg );
ok( $res, 'Verified OK in the past.' );
is( $msg, 'All OK', 'Expected verification message' );

my $ds1 = $key1->ds( 'sha1' );
isa_ok( $ds1, 'Zonemaster::LDNS::RR::DS', 'sha1' );
ok( $ds1->verify( $key1 ) ) if $ds1;

my $ds2 = $key1->ds( 'sha256' );
isa_ok( $ds2, 'Zonemaster::LDNS::RR::DS', 'sha256' );
ok( $ds2->verify( $key1 ) ) if $ds2;

my $ds3 = $key1->ds( 'sha384' );
isa_ok( $ds3, 'Zonemaster::LDNS::RR::DS', 'sha384' );
ok( $ds3->verify( $key1 ) ) if $ds3;

my $ds4 = $key1->ds( 'gost' );
if ( $ds4 ) {    # We may not have GOST available.
    isa_ok( $ds4, 'Zonemaster::LDNS::RR::DS', 'gost' );
    ok( $ds4->verify( $key1 ) ) if $ds4;
}

is($key1->keysize, 2048, 'Key is 2048 bits long');
is($key2->keysize, 1024, 'Key is 1024 bits long');

my $nsec = Zonemaster::LDNS::RR->new('xx.se.			7200	IN	NSEC	xx0r.se. NS RRSIG NSEC');
isa_ok($nsec, 'Zonemaster::LDNS::RR::NSEC');
ok($nsec->covers('xx-example.se'), 'Covers xx-example.se');

ok(!$nsec->covers('.'), 'Does not cover the root domain');

my $nsec3 = Zonemaster::LDNS::RR->new('NR2E513KM693MBTNVHH56ENF54F886T0.com. 86400 IN NSEC3 1 1 0 - NR2FUHQVR56LH70L6F971J3L6N1RH2TU NS DS RRSIG');
isa_ok($nsec3, 'Zonemaster::LDNS::RR::NSEC3');
ok($nsec3->covers('xx-example.com'), 'Covers xx-example.com');

is($nsec3->covers('.'), undef, 'Does not cover the root domain');

subtest 'malformed NSEC3 do not cover anything' => sub {
    # Malformed resource record lacking a next hashed owner name field in its
    # RDATA. The only way to synthesize such a datum is to use the RFC 3597
    # syntax.
    my $example = Zonemaster::LDNS::RR->new(
        q{example. 0 IN NSEC3 \# 15 01 00 0001 01 AB 00 0006 400000000002}
    );
    is( $example->covers("example"), undef );

    # NSEC3 resource record whose owner name is the root name. This should
    # normally not happen.
    $example = Zonemaster::LDNS::RR->new(
        q{.        0 IN NSEC3 1 0 1 ab 01234567 A RRSIG}
    );
    is( $example->covers("example"), undef );
};

SKIP: {
    skip 'no network', 3 unless $ENV{TEST_WITH_NETWORK};

    $res = Zonemaster::LDNS->new( '212.247.7.228' );
    $res->dnssec( 1 );
    my $p1 = eval { $res->query('www.iis.se', 'A') };

    skip 'Remote server not responding', 3 if not $p1;

    ok( $p1->needs_edns, 'Needs EDNS0');
    ok( $p1->has_edns, 'Alias is there');
    ok( ($p1->edns_size > 0), 'EDNS0 size larger than zero' );
}

done_testing;
feat: add full Zonemaster stack with Docker and Spanish UI - Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI) - Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend - Dockerfile.gui: Astro static build served via nginx - docker-compose.yml: backend (internal) + frontend (port 5353) - nginx.conf: root redirects to /es/, /api/ proxied to backend - zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-21 08:19:24 +02:00			`use Test::More;`

			`BEGIN { use_ok( 'Zonemaster::LDNS' ); }`

			`my $key1 = Zonemaster::LDNS::RR->new(`
			`"iis.se. 2395 IN DNSKEY 257 3 5 AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC 3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMw Q4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk="`
			`);`
			`my $key2 = Zonemaster::LDNS::RR->new(`
			`"iis.se. 1591 IN DNSKEY 256 3 5 BQEAAAABuWpCewwMRD7yPzy6TGsymMAc82IHVGB+vjKVIAYKbPG7QxuLEtEzUxDJo09gLN2/N0OF+NnTkmDMj8KA+eIgtqmMuq5kdDVc+eSNLJZ0 am0o27UEkXmW20iV0d6B/KW1X1nufzBSaacUzkBKyDfK4cN3aVsYIDXT H7Jw1agEzrM="`
			`);`
			`my $soa = Zonemaster::LDNS::RR->new( "iis.se. 3600 IN SOA ns.nic.se. hostmaster.iis.se. 1384853101 10800 3600 1814400 14400" );`
			`my $sig = Zonemaster::LDNS::RR->new(`
			`"iis.se. 3600 IN RRSIG SOA 5 2 3600 20131129082501 20131119082501 59213 iis.se. ShhhfRT82jfA/J1AAqiie/4r7JuiYOpK6dIwugOtlf0/UpVsOYEIukpe Bq9i7fsa0GNWz/o9gqF8DnsCHzgxZnAngTrJpZAlsrC/FP/6v8WfnFsP LDw9g6Ow8Z6TL9JmZr22YPp27Rwujdb5AnzdurEvQxIAqW66CCCy2pc9 //s="`
			`);`

			`is( $sig->keytag, $key2->keytag );`

			`ok( !$sig->verify( [$soa], [ $key1, $key2 ] ), 'Signature does not verify (expired).' );`
			`ok( !$sig->verify( [$soa], [$key1] ), 'Signature does not verify (wrong key).' );`

			`is(`
			`$sig->verify_str( [$soa], [ $key1, $key2 ] ),`
			`'DNSSEC signature has expired',`
			`'Expected unsuccessful verification message.'`
			`);`
			`is(`
			`$sig->verify_str( [$soa], [$key1] ),`
			`'No keys with the keytag and algorithm from the RRSIG found',`
			`'Expected unsuccessful verification message.'`
			`);`

			`my $msg = '';`
			`my $res = $sig->verify_time( [$soa], [ $key1, $key2 ], 1385628478, $msg );`
			`ok( $res, 'Verified OK in the past.' );`
			`is( $msg, 'All OK', 'Expected verification message' );`

			`my $ds1 = $key1->ds( 'sha1' );`
			`isa_ok( $ds1, 'Zonemaster::LDNS::RR::DS', 'sha1' );`
			`ok( $ds1->verify( $key1 ) ) if $ds1;`

			`my $ds2 = $key1->ds( 'sha256' );`
			`isa_ok( $ds2, 'Zonemaster::LDNS::RR::DS', 'sha256' );`
			`ok( $ds2->verify( $key1 ) ) if $ds2;`

			`my $ds3 = $key1->ds( 'sha384' );`
			`isa_ok( $ds3, 'Zonemaster::LDNS::RR::DS', 'sha384' );`
			`ok( $ds3->verify( $key1 ) ) if $ds3;`

			`my $ds4 = $key1->ds( 'gost' );`
			`if ( $ds4 ) { # We may not have GOST available.`
			`isa_ok( $ds4, 'Zonemaster::LDNS::RR::DS', 'gost' );`
			`ok( $ds4->verify( $key1 ) ) if $ds4;`
			`}`

			`is($key1->keysize, 2048, 'Key is 2048 bits long');`
			`is($key2->keysize, 1024, 'Key is 1024 bits long');`

			`my $nsec = Zonemaster::LDNS::RR->new('xx.se. 7200 IN NSEC xx0r.se. NS RRSIG NSEC');`
			`isa_ok($nsec, 'Zonemaster::LDNS::RR::NSEC');`
			`ok($nsec->covers('xx-example.se'), 'Covers xx-example.se');`

			`ok(!$nsec->covers('.'), 'Does not cover the root domain');`

			`my $nsec3 = Zonemaster::LDNS::RR->new('NR2E513KM693MBTNVHH56ENF54F886T0.com. 86400 IN NSEC3 1 1 0 - NR2FUHQVR56LH70L6F971J3L6N1RH2TU NS DS RRSIG');`
			`isa_ok($nsec3, 'Zonemaster::LDNS::RR::NSEC3');`
			`ok($nsec3->covers('xx-example.com'), 'Covers xx-example.com');`

			`is($nsec3->covers('.'), undef, 'Does not cover the root domain');`

			`subtest 'malformed NSEC3 do not cover anything' => sub {`
			`# Malformed resource record lacking a next hashed owner name field in its`
			`# RDATA. The only way to synthesize such a datum is to use the RFC 3597`
			`# syntax.`
			`my $example = Zonemaster::LDNS::RR->new(`
			`q{example. 0 IN NSEC3 \# 15 01 00 0001 01 AB 00 0006 400000000002}`
			`);`
			`is( $example->covers("example"), undef );`

			`# NSEC3 resource record whose owner name is the root name. This should`
			`# normally not happen.`
			`$example = Zonemaster::LDNS::RR->new(`
			`q{. 0 IN NSEC3 1 0 1 ab 01234567 A RRSIG}`
			`);`
			`is( $example->covers("example"), undef );`
			`};`

			`SKIP: {`
			`skip 'no network', 3 unless $ENV{TEST_WITH_NETWORK};`

			`$res = Zonemaster::LDNS->new( '212.247.7.228' );`
			`$res->dnssec( 1 );`
			`my $p1 = eval { $res->query('www.iis.se', 'A') };`

			`skip 'Remote server not responding', 3 if not $p1;`

			`ok( $p1->needs_edns, 'Needs EDNS0');`
			`ok( $p1->has_edns, 'Alias is there');`
			`ok( ($p1->edns_size > 0), 'EDNS0 size larger than zero' );`
			`}`

			`done_testing;`