X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=src%2Fquery.rs;h=4fca659cfb7ae8fb84da12ab60b76c1d5257ff5d;hb=99c90e3e3a77d431e3c6b7149aa43f93a793f579;hp=07954b3cb9fccc348803c00a5c229b20be1eca76;hpb=929508e7c1c0e0fd0f8503893cd324fd2199f5fd;p=dnssec-prover diff --git a/src/query.rs b/src/query.rs index 07954b3..4fca659 100644 --- a/src/query.rs +++ b/src/query.rs @@ -183,6 +183,11 @@ const MAX_REQUESTS: usize = 10; /// [`ProofBuilder::process_response`] should be called, and each fresh query returned should be /// sent to the resolver. Once [`ProofBuilder::awaiting_responses`] returns false, /// [`ProofBuilder::finish_proof`] should be called to fetch the resulting proof. +/// +/// To build a DNSSEC proof using a DoH server, take each [`QueryBuf`], encode it as base64url, and +/// make a query to `https://doh-server/endpoint?dns=base64url_encoded_query` with an `Accept` +/// header of `application/dns-message`. Each response, in raw binary, can be fed directly into +/// [`ProofBuilder::process_response`]. pub struct ProofBuilder { proof: Vec, min_ttl: u32, @@ -481,7 +486,7 @@ mod tests { fn test_cname_query() { for resolver in ["1.1.1.1:53", "8.8.8.8:53", "9.9.9.9:53"] { let sockaddr = resolver.to_socket_addrs().unwrap().next().unwrap(); - let query_name = "cname_test.matcorallo.com.".try_into().unwrap(); + let query_name = "cname_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(); let (proof, _) = build_txt_proof(sockaddr, &query_name).unwrap(); let mut rrs = parse_rr_stream(&proof).unwrap(); @@ -496,7 +501,7 @@ mod tests { let resolved_rrs = verified_rrs.resolve_name(&query_name); assert_eq!(resolved_rrs.len(), 1); if let RR::Txt(txt) = &resolved_rrs[0] { - assert_eq!(txt.name.as_str(), "txt_test.matcorallo.com."); + assert_eq!(txt.name.as_str(), "txt_test.dnssec_proof_tests.bitcoin.ninja."); assert_eq!(txt.data, b"dnssec_prover_test"); } else { panic!(); } } @@ -527,7 +532,7 @@ mod tests { async fn test_cross_domain_cname_query_async() { for resolver in ["1.1.1.1:53", "8.8.8.8:53", "9.9.9.9:53"] { let sockaddr = resolver.to_socket_addrs().unwrap().next().unwrap(); - let query_name = "wildcard.x_domain_cname_wild.matcorallo.com.".try_into().unwrap(); + let query_name = "wildcard.x_domain_cname_wild.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(); let (proof, _) = build_txt_proof_async(sockaddr, &query_name).await.unwrap(); let mut rrs = parse_rr_stream(&proof).unwrap(); @@ -547,4 +552,31 @@ mod tests { } else { panic!(); } } } + + #[cfg(feature = "tokio")] + #[tokio::test] + async fn test_dname_wildcard_query_async() { + for resolver in ["1.1.1.1:53", "8.8.8.8:53", "9.9.9.9:53"] { + let sockaddr = resolver.to_socket_addrs().unwrap().next().unwrap(); + let query_name = "wildcard_a.wildcard_b.dname_test.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(); + let (proof, _) = build_txt_proof_async(sockaddr, &query_name).await.unwrap(); + + let mut rrs = parse_rr_stream(&proof).unwrap(); + rrs.shuffle(&mut rand::rngs::OsRng); + let verified_rrs = verify_rr_stream(&rrs).unwrap(); + assert_eq!(verified_rrs.verified_rrs.len(), 3); + + let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs(); + assert!(verified_rrs.valid_from < now); + assert!(verified_rrs.expires > now); + + let resolved_rrs = verified_rrs.resolve_name(&query_name); + assert_eq!(resolved_rrs.len(), 1); + if let RR::Txt(txt) = &resolved_rrs[0] { + assert_eq!(txt.name.as_str(), "cname.wildcard_test.dnssec_proof_tests.bitcoin.ninja."); + assert_eq!(txt.data, b"wildcard_test"); + } else { panic!(); } + } + } + }