1; config options 2server: 3 answer-cookie: yes 4 cookie-secret: "000102030405060708090a0b0c0d0e0f" 5 access-control: 127.0.0.1 allow_cookie 6 access-control: 1.2.3.4 allow 7 local-data: "test. TXT test" 8 9CONFIG_END 10 11SCENARIO_BEGIN Test downstream DNS Cookies 12 13; Note: When a valid hash was required, it was generated by running this test 14; with an invalid one and checking the output for the valid one. 15; Actual hash generation is tested with unit tests. 16 17; Query without a client cookie ... 18STEP 0 QUERY 19ENTRY_BEGIN 20REPLY RD 21SECTION QUESTION 22test. IN TXT 23ENTRY_END 24; ... get TC and refused 25STEP 1 CHECK_ANSWER 26ENTRY_BEGIN 27MATCH all 28REPLY QR RD RA TC REFUSED 29SECTION QUESTION 30test. IN TXT 31ENTRY_END 32 33; Query without a client cookie on TCP ... 34STEP 10 QUERY 35ENTRY_BEGIN 36REPLY RD 37MATCH TCP 38SECTION QUESTION 39test. IN TXT 40ENTRY_END 41; ... get an answer 42STEP 11 CHECK_ANSWER 43ENTRY_BEGIN 44MATCH all 45REPLY QR RD RA AA NOERROR 46SECTION QUESTION 47test. IN TXT 48SECTION ANSWER 49test. IN TXT "test" 50ENTRY_END 51 52; Query with only a client cookie ... 53STEP 20 QUERY 54ENTRY_BEGIN 55REPLY RD 56SECTION QUESTION 57test. IN TXT 58SECTION ADDITIONAL 59HEX_EDNSDATA_BEGIN 60 00 0a ; Opcode 10 61 00 08 ; Length 8 62 31 32 33 34 35 36 37 38 ; Random bits 63HEX_EDNSDATA_END 64ENTRY_END 65; ... get BADCOOKIE and a new cookie 66STEP 21 CHECK_ANSWER 67ENTRY_BEGIN 68MATCH all server_cookie 69REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode 70SECTION QUESTION 71test. IN TXT 72ENTRY_END 73 74; Query with an invalid cookie ... 75STEP 30 QUERY 76ENTRY_BEGIN 77REPLY RD 78SECTION QUESTION 79test. IN TXT 80SECTION ADDITIONAL 81HEX_EDNSDATA_BEGIN 82 00 0a ; Opcode 10 83 00 18 ; Length 24 84 31 32 33 34 35 36 37 38 ; Random bits 85 02 00 00 00 ; wrong version 86 00 00 00 00 ; Timestamp 87 31 32 33 34 35 36 37 38 ; wrong hash 88HEX_EDNSDATA_END 89ENTRY_END 90; ... get BADCOOKIE and a new cookie 91STEP 31 CHECK_ANSWER 92ENTRY_BEGIN 93MATCH all server_cookie 94REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode 95SECTION QUESTION 96test. IN TXT 97ENTRY_END 98 99; Query with an invalid cookie from a non-cookie protected address ... 100STEP 40 QUERY ADDRESS 1.2.3.4 101ENTRY_BEGIN 102REPLY RD 103SECTION QUESTION 104test. IN TXT 105SECTION ADDITIONAL 106HEX_EDNSDATA_BEGIN 107 00 0a ; Opcode 10 108 00 18 ; Length 24 109 31 32 33 34 35 36 37 38 ; Random bits 110 02 00 00 00 ; wrong version 111 00 00 00 00 ; Timestamp 112 31 32 33 34 35 36 37 38 ; wrong hash 113HEX_EDNSDATA_END 114ENTRY_END 115; ... get answer and a cookie 116STEP 41 CHECK_ANSWER 117ENTRY_BEGIN 118MATCH all server_cookie 119REPLY QR RD RA AA DO NOERROR 120SECTION QUESTION 121test. IN TXT 122SECTION ANSWER 123test. IN TXT "test" 124ENTRY_END 125 126; Query with a valid cookie ... 127STEP 50 QUERY 128ENTRY_BEGIN 129REPLY RD 130SECTION QUESTION 131test. IN TXT 132SECTION ADDITIONAL 133HEX_EDNSDATA_BEGIN 134 00 0a ; Opcode 10 135 00 18 ; Length 24 136 31 32 33 34 35 36 37 38 ; Random bits 137 01 00 00 00 ; Version/Reserved 138 00 00 00 00 ; Timestamp 139 38 52 7b a8 c6 a4 ea 96 ; Hash 140HEX_EDNSDATA_END 141ENTRY_END 142; ... get answer and the cookie 143STEP 51 CHECK_ANSWER 144ENTRY_BEGIN 145MATCH all server_cookie 146REPLY QR RD RA AA DO NOERROR 147SECTION QUESTION 148test. IN TXT 149SECTION ANSWER 150test. IN TXT "test" 151ENTRY_END 152 153; Query with a valid >30 minutes old cookie ... 154STEP 59 TIME_PASSES ELAPSE 1801 155STEP 60 QUERY 156ENTRY_BEGIN 157REPLY RD 158SECTION QUESTION 159test. IN TXT 160SECTION ADDITIONAL 161HEX_EDNSDATA_BEGIN 162 00 0a ; Opcode 10 163 00 18 ; Length 24 164 31 32 33 34 35 36 37 38 ; Random bits 165 01 00 00 00 ; Version/Reserved 166 00 00 00 00 ; Timestamp 167 38 52 7b a8 c6 a4 ea 96 ; Hash 168HEX_EDNSDATA_END 169ENTRY_END 170; ... Get answer and a refreshed cookie 171; (we don't check the re-freshness here; it has its own unit test) 172STEP 61 CHECK_ANSWER 173ENTRY_BEGIN 174MATCH all server_cookie 175REPLY QR RD RA AA DO NOERROR 176SECTION QUESTION 177test. IN TXT 178SECTION ANSWER 179test. IN TXT "test" 180ENTRY_END 181 182; Query with a hash-valid >60 minutes old cookie ... 183STEP 69 TIME_PASSES ELAPSE 3601 184STEP 70 QUERY 185ENTRY_BEGIN 186REPLY RD 187SECTION QUESTION 188test. IN TXT 189SECTION ADDITIONAL 190HEX_EDNSDATA_BEGIN 191 00 0a ; Opcode 10 192 00 18 ; Length 24 193 31 32 33 34 35 36 37 38 ; Random bits 194 01 00 00 00 ; Version/Reserved 195 00 00 07 09 ; Timestamp (1801) 196 77 81 38 e3 8f aa 72 86 ; Hash 197HEX_EDNSDATA_END 198ENTRY_END 199; ... get BADCOOKIE and a new cookie 200STEP 71 CHECK_ANSWER 201ENTRY_BEGIN 202MATCH all server_cookie 203REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode 204SECTION QUESTION 205test. IN TXT 206ENTRY_END 207 208; Query with a valid future (<5 minutes) cookie ... 209STEP 80 QUERY 210ENTRY_BEGIN 211REPLY RD 212SECTION QUESTION 213test. IN TXT 214SECTION ADDITIONAL 215HEX_EDNSDATA_BEGIN 216 00 0a ; Opcode 10 217 00 18 ; Length 24 218 31 32 33 34 35 36 37 38 ; Random bits 219 01 00 00 00 ; Version/Reserved 220 00 00 16 45 ; Timestamp (1801 + 3601 + 299) 221 4a f5 0f df f0 e8 c7 09 ; Hash 222HEX_EDNSDATA_END 223ENTRY_END 224; ... get an answer 225STEP 81 CHECK_ANSWER 226ENTRY_BEGIN 227MATCH all server_cookie 228REPLY QR RD RA AA DO NOERROR 229SECTION QUESTION 230test. IN TXT 231SECTION ANSWER 232test. IN TXT "test" 233ENTRY_END 234 235SCENARIO_END 236