refactor Implementation branching into its own module

.github/workflows/ci.yml

@@ -28,7 +28,7 @@ jobs:
         run: cargo test -p dns-test -- --include-ignored
 
       - name: Run tests against unbound
-        run: cargo test -p conformance-tests -- --include-ignored
+        run: DNS_TEST_PEER=bind cargo test -p conformance-tests -- --include-ignored
 
       - name: Run tests against BIND
         run: DNS_TEST_SUBJECT=bind cargo test -p conformance-tests -- --include-ignored

packages/conformance-tests/src/lib.rs

@@ -1,3 +1,4 @@
 #![cfg(test)]
 
+mod name_server;
 mod resolver;

packages/conformance-tests/src/name_server.rs

@@ -0,0 +1,2 @@
+mod rfc4035;
+mod scenarios;

packages/conformance-tests/src/name_server/rfc4035.rs

@@ -0,0 +1 @@
+mod section_3;

packages/conformance-tests/src/name_server/rfc4035/section_3.rs

@@ -0,0 +1 @@
+mod section_3_1;

packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1.rs

@@ -0,0 +1 @@
+mod section_3_1_1;

packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1/section_3_1_1.rs

@@ -0,0 +1,64 @@
+use dns_test::client::{Client, DigSettings};
+use dns_test::name_server::NameServer;
+use dns_test::record::{Record, RecordType};
+use dns_test::{Network, Result, FQDN};
+
+#[test]
+#[ignore]
+fn rrsig_in_answer_section() -> Result<()> {
+    let network = Network::new()?;
+
+    let ns = NameServer::new(&dns_test::subject(), FQDN::ROOT, &network)?
+        .sign()?
+        .start()?;
+
+    let client = Client::new(&network)?;
+    let ns_fqdn = ns.fqdn();
+    let ans = client.dig(
+        *DigSettings::default().dnssec(),
+        ns.ipv4_addr(),
+        RecordType::A,
+        ns_fqdn,
+    )?;
+
+    assert!(ans.status.is_noerror());
+    let [a, rrsig] = ans.answer.try_into().unwrap();
+
+    assert!(matches!(a, Record::A(..)));
+    let rrsig = rrsig.try_into_rrsig().unwrap();
+    assert_eq!(RecordType::A, rrsig.type_covered);
+    assert_eq!(ns_fqdn, &rrsig.fqdn);
+
+    Ok(())
+}
+
+#[test]
+#[ignore]
+fn rrsig_in_authority_section() -> Result<()> {
+    let network = Network::new()?;
+
+    let ns = NameServer::new(&dns_test::subject(), FQDN::ROOT, &network)?
+        .sign()?
+        .start()?;
+
+    let client = Client::new(&network)?;
+    let ans = client.dig(
+        *DigSettings::default().dnssec(),
+        ns.ipv4_addr(),
+        RecordType::SOA,
+        &FQDN::ROOT,
+    )?;
+
+    assert!(ans.status.is_noerror());
+    let [ns, rrsig] = ans.authority.try_into().unwrap();
+
+    assert!(matches!(ns, Record::NS(..)));
+    let rrsig = rrsig.try_into_rrsig().unwrap();
+    assert_eq!(RecordType::NS, rrsig.type_covered);
+    assert_eq!(FQDN::ROOT, rrsig.fqdn);
+
+    Ok(())
+}
+
+// TODO Additional section
+// TODO TC bit

packages/conformance-tests/src/name_server/scenarios.rs

@@ -0,0 +1,23 @@
+use dns_test::client::{Client, DigSettings};
+use dns_test::name_server::NameServer;
+use dns_test::record::RecordType;
+use dns_test::{Network, Result, FQDN};
+
+#[test]
+fn authoritative_answer() -> Result<()> {
+    let network = &Network::new()?;
+    let ns = NameServer::new(&dns_test::subject(), FQDN::ROOT, network)?.start()?;
+
+    let client = Client::new(network)?;
+    let ans = client.dig(
+        DigSettings::default(),
+        ns.ipv4_addr(),
+        RecordType::SOA,
+        &FQDN::ROOT,
+    )?;
+
+    assert!(ans.status.is_noerror());
+    assert!(ans.flags.authoritative_answer);
+
+    Ok(())
+}

packages/conformance-tests/src/resolver/dns/scenarios.rs

@@ -1,10 +1,9 @@
 use std::net::Ipv4Addr;
 
 use dns_test::client::{Client, DigSettings};
-use dns_test::name_server::NameServer;
+use dns_test::name_server::{Graph, NameServer, Sign};
 use dns_test::record::{Record, RecordType};
-use dns_test::zone_file::Root;
-use dns_test::{Network, Resolver, Result, TrustAnchor, FQDN};
+use dns_test::{Network, Resolver, Result, FQDN};
 
 #[test]
 fn can_resolve() -> Result<()> {
@@ -13,34 +12,17 @@ fn can_resolve() -> Result<()> {
 
     let network = Network::new()?;
     let peer = dns_test::peer();
-    let mut root_ns = NameServer::new(&peer, FQDN::ROOT, &network)?;
-    let mut com_ns = NameServer::new(&peer, FQDN::COM, &network)?;
 
-    let mut nameservers_ns = NameServer::new(&peer, FQDN("nameservers.com.")?, &network)?;
-    nameservers_ns
-        .add(Record::a(root_ns.fqdn().clone(), root_ns.ipv4_addr()))
-        .add(Record::a(com_ns.fqdn().clone(), com_ns.ipv4_addr()))
-        .add(Record::a(needle_fqdn.clone(), expected_ipv4_addr));
-    let nameservers_ns = nameservers_ns.start()?;
+    let mut leaf_ns = NameServer::new(&peer, FQDN::NAMESERVERS, &network)?;
+    leaf_ns.add(Record::a(needle_fqdn.clone(), expected_ipv4_addr));
 
-    eprintln!("nameservers.com.zone:\n{}", nameservers_ns.zone_file());
+    let Graph {
+        nameservers: _nameservers,
+        root,
+        ..
+    } = Graph::build(leaf_ns, Sign::No)?;
 
-    com_ns.referral(
-        nameservers_ns.zone().clone(),
-        nameservers_ns.fqdn().clone(),
-        nameservers_ns.ipv4_addr(),
-    );
-    let com_ns = com_ns.start()?;
-
-    eprintln!("com.zone:\n{}", com_ns.zone_file());
-
-    root_ns.referral(FQDN::COM, com_ns.fqdn().clone(), com_ns.ipv4_addr());
-    let root_ns = root_ns.start()?;
-
-    eprintln!("root.zone:\n{}", root_ns.zone_file());
-
-    let roots = &[Root::new(root_ns.fqdn().clone(), root_ns.ipv4_addr())];
-    let resolver = Resolver::start(&dns_test::subject(), roots, &TrustAnchor::empty(), &network)?;
+    let resolver = Resolver::new(&network, root).start(&dns_test::subject())?;
     let resolver_ip_addr = resolver.ipv4_addr();
 
     let client = Client::new(&network)?;
@@ -66,27 +48,16 @@ fn nxdomain() -> Result<()> {
 
     let network = Network::new()?;
     let peer = dns_test::peer();
-    let mut root_ns = NameServer::new(&peer, FQDN::ROOT, &network)?;
-    let mut com_ns = NameServer::new(&peer, FQDN::COM, &network)?;
-
-    let mut nameservers_ns = NameServer::new(&peer, FQDN("nameservers.com.")?, &network)?;
-    nameservers_ns
-        .add(Record::a(root_ns.fqdn().clone(), root_ns.ipv4_addr()))
-        .add(Record::a(com_ns.fqdn().clone(), com_ns.ipv4_addr()));
-    let nameservers_ns = nameservers_ns.start()?;
-
-    com_ns.referral(
-        nameservers_ns.zone().clone(),
-        nameservers_ns.fqdn().clone(),
-        nameservers_ns.ipv4_addr(),
-    );
-    let com_ns = com_ns.start()?;
-
-    root_ns.referral(FQDN::COM, com_ns.fqdn().clone(), com_ns.ipv4_addr());
-    let root_ns = root_ns.start()?;
-
-    let roots = &[Root::new(root_ns.fqdn().clone(), root_ns.ipv4_addr())];
-    let resolver = Resolver::start(&dns_test::subject(), roots, &TrustAnchor::empty(), &network)?;
+
+    let leaf_ns = NameServer::new(&peer, FQDN::NAMESERVERS, &network)?;
+
+    let Graph {
+        nameservers: _nameservers,
+        root,
+        ..
+    } = Graph::build(leaf_ns, Sign::No)?;
+
+    let resolver = Resolver::new(&network, root).start(&dns_test::subject())?;
     let resolver_ip_addr = resolver.ipv4_addr();
 
     let client = Client::new(&network)?;

packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_1.rs

@@ -3,19 +3,15 @@ use dns_test::name_server::NameServer;
 use dns_test::record::RecordType;
 use dns_test::tshark::{Capture, Direction};
 use dns_test::zone_file::Root;
-use dns_test::{Network, Resolver, Result, TrustAnchor, FQDN};
+use dns_test::{Network, Resolver, Result, FQDN};
 
 #[test]
 #[ignore]
 fn edns_support() -> Result<()> {
     let network = &Network::new()?;
     let ns = NameServer::new(&dns_test::peer(), FQDN::ROOT, network)?.start()?;
-    let resolver = Resolver::start(
-        &dns_test::subject(),
-        &[Root::new(ns.fqdn().clone(), ns.ipv4_addr())],
-        &TrustAnchor::empty(),
-        network,
-    )?;
+    let resolver = Resolver::new(network, Root::new(ns.fqdn().clone(), ns.ipv4_addr()))
+        .start(&dns_test::subject())?;
 
     let mut tshark = resolver.eavesdrop()?;
 

packages/conformance-tests/src/resolver/dnssec/scenarios.rs

@@ -1,2 +1,3 @@
 mod bogus;
+mod ede;
 mod secure;

packages/conformance-tests/src/resolver/dnssec/scenarios/bogus.rs

@@ -2,10 +2,9 @@ use std::net::Ipv4Addr;
 
 use base64::prelude::*;
 use dns_test::client::{Client, DigSettings};
-use dns_test::name_server::NameServer;
+use dns_test::name_server::{Graph, NameServer, Sign};
 use dns_test::record::{Record, RecordType};
-use dns_test::zone_file::Root;
-use dns_test::{Network, Resolver, Result, TrustAnchor, FQDN};
+use dns_test::{Network, Resolver, Result, FQDN};
 
 #[ignore]
 #[test]
@@ -15,59 +14,41 @@ fn bad_signature_in_leaf_nameserver() -> Result<()> {
 
     let network = Network::new()?;
     let peer = dns_test::peer();
-    let mut root_ns = NameServer::new(&peer, FQDN::ROOT, &network)?;
-    let mut com_ns = NameServer::new(&peer, FQDN::COM, &network)?;
 
-    let mut nameservers_ns = NameServer::new(&peer, FQDN("nameservers.com.")?, &network)?;
-    nameservers_ns
-        .add(Record::a(root_ns.fqdn().clone(), root_ns.ipv4_addr()))
-        .add(Record::a(com_ns.fqdn().clone(), com_ns.ipv4_addr()))
-        .add(Record::a(needle_fqdn.clone(), expected_ipv4_addr));
-    let mut nameservers_ns = nameservers_ns.sign()?;
-
-    // fault injection: change the signature field of the RRSIG that covers the A record we'll query
-    let mut modified = 0;
-    for record in &mut nameservers_ns.signed_zone_file_mut().records {
-        if let Record::RRSIG(rrsig) = record {
-            if rrsig.fqdn == needle_fqdn {
-                let mut signature = BASE64_STANDARD.decode(&rrsig.signature)?;
-                let last = signature.last_mut().expect("empty signature");
-                *last = !*last;
-
-                rrsig.signature = BASE64_STANDARD.encode(&signature);
-                modified += 1;
+    let mut leaf_ns = NameServer::new(&peer, FQDN::NAMESERVERS, &network)?;
+    leaf_ns.add(Record::a(needle_fqdn.clone(), expected_ipv4_addr));
+
+    let Graph {
+        nameservers: _nameservers,
+        root,
+        trust_anchor,
+    } = Graph::build(
+        leaf_ns,
+        Sign::AndAmend(&|zone, records| {
+            if zone == &FQDN::NAMESERVERS {
+                let mut modified = 0;
+                for record in records {
+                    if let Record::RRSIG(rrsig) = record {
+                        if rrsig.fqdn == needle_fqdn {
+                            let mut signature = BASE64_STANDARD.decode(&rrsig.signature).unwrap();
+                            let last = signature.last_mut().expect("empty signature");
+                            *last = !*last;
+
+                            rrsig.signature = BASE64_STANDARD.encode(&signature);
+                            modified += 1;
+                        }
+                    }
+                }
+
+                assert_eq!(modified, 1, "sanity check");
             }
-        }
-    }
-    assert_eq!(modified, 1, "sanity check");
-
-    let nameservers_ds = nameservers_ns.ds().clone();
-    let nameservers_ns = nameservers_ns.start()?;
-
-    com_ns
-        .referral(
-            nameservers_ns.zone().clone(),
-            nameservers_ns.fqdn().clone(),
-            nameservers_ns.ipv4_addr(),
-        )
-        .add(nameservers_ds);
-    let com_ns = com_ns.sign()?;
-    let com_ds = com_ns.ds().clone();
-    let com_ns = com_ns.start()?;
-
-    root_ns
-        .referral(FQDN::COM, com_ns.fqdn().clone(), com_ns.ipv4_addr())
-        .add(com_ds);
-    let root_ns = root_ns.sign()?;
-    let root_ksk = root_ns.key_signing_key().clone();
-    let root_zsk = root_ns.zone_signing_key().clone();
-
-    let root_ns = root_ns.start()?;
-
-    let roots = &[Root::new(root_ns.fqdn().clone(), root_ns.ipv4_addr())];
+        }),
+    )?;
 
-    let trust_anchor = TrustAnchor::from_iter([root_ksk.clone(), root_zsk.clone()]);
-    let resolver = Resolver::start(&dns_test::subject(), roots, &trust_anchor, &network)?;
+    let trust_anchor = &trust_anchor.unwrap();
+    let resolver = Resolver::new(&network, root)
+        .trust_anchor(trust_anchor)
+        .start(&dns_test::subject())?;
     let resolver_addr = resolver.ipv4_addr();
 
     let client = Client::new(&network)?;