$SDIG $nameserver 5301 www.hijackme.example.net a recurse 2>&1
echo "==> host.lowercase-outgoing.example.net is served on ns.lowercase-outgoing.example.net, blocked by NS IP rule"
$SDIG $nameserver 5301 host.lowercase-outgoing.example.net a recurse 2>&1
+echo "==> capped-ttl.example.net TTL exceeds the maximum TTL for the zone"
+$SDIG $nameserver 5301 capped-ttl.example.net a recurse 2>&1
+echo "==> defpol-with-ttl.example.net should use the default policy's TTL and not the zone one"
+$SDIG $nameserver 5301 defpol-with-ttl.example.net a recurse 2>&1
+echo "==> defpol-with-ttl-capped.example.net should use the default policy's TTL, but capped to maxTTL"
+$SDIG $nameserver 5301 defpol-with-ttl-capped.example.net a recurse 2>&1
+echo "==> defpol-without-ttl.example.net should use the zone's TTL"
+$SDIG $nameserver 5301 defpol-without-ttl.example.net a recurse 2>&1
+echo "==> defpol-without-ttl-capped.example.net should use the zone's TTL but capped to maxTTL"
+$SDIG $nameserver 5301 defpol-without-ttl-capped.example.net a recurse 2>&1
+echo "==> unsupported.example.net has an unsupported target, should be ignored from the RPZ zone"
+$SDIG $nameserver 5301 unsupported.example.net a recurse 2>&1
+echo "==> unsupported2.example.net has an unsupported target, should be ignored from the RPZ zone"
+$SDIG $nameserver 5301 unsupported2.example.net a recurse 2>&1
+echo "==> not-rpz.example.net is _not_ an RPZ target and should be processed"
+$SDIG $nameserver 5301 not-rpz.example.net a recurse 2>&1
==> www.example.net RPZ local data to www2.example.net
Reply to question for qname='www.example.net.', qtype=A
Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
-0 www.example.net. IN CNAME 0 www2.example.net.
+0 www.example.net. IN CNAME 7200 www2.example.net.
0 www2.example.net. IN A 15 192.0.2.2
==> www4.example.net RPZ IP trigger action, dropped
==> trillian.example.net NXDOMAIN
==> host.lowercase-outgoing.example.net is served on ns.lowercase-outgoing.example.net, blocked by NS IP rule
Reply to question for qname='host.lowercase-outgoing.example.net.', qtype=A
Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+==> capped-ttl.example.net TTL exceeds the maximum TTL for the zone
+Reply to question for qname='capped-ttl.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0 capped-ttl.example.net. IN A 5 192.0.2.35
+==> defpol-with-ttl.example.net should use the default policy's TTL and not the zone one
+Reply to question for qname='defpol-with-ttl.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0 defpol-with-ttl.example.net. IN CNAME 10 default.example.net.
+0 default.example.net. IN A 15 192.0.2.42
+==> defpol-with-ttl-capped.example.net should use the default policy's TTL, but capped to maxTTL
+Reply to question for qname='defpol-with-ttl-capped.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0 defpol-with-ttl-capped.example.net. IN CNAME 20 default.example.net.
+0 default.example.net. IN A 15 192.0.2.42
+==> defpol-without-ttl.example.net should use the zone's TTL
+Reply to question for qname='defpol-without-ttl.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0 defpol-without-ttl.example.net. IN CNAME 7200 default.example.net.
+0 default.example.net. IN A 15 192.0.2.42
+==> defpol-without-ttl-capped.example.net should use the zone's TTL but capped to maxTTL
+Reply to question for qname='defpol-without-ttl-capped.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0 defpol-without-ttl-capped.example.net. IN CNAME 50 default.example.net.
+0 default.example.net. IN A 15 192.0.2.42
+==> unsupported.example.net has an unsupported target, should be ignored from the RPZ zone
+Reply to question for qname='unsupported.example.net.', qtype=A
+Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+1 example.net. IN SOA 15 ns.example.net. hostmaster.example.net. 1 3600 1800 1209600 300
+==> unsupported2.example.net has an unsupported target, should be ignored from the RPZ zone
+Reply to question for qname='unsupported2.example.net.', qtype=A
+Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+1 example.net. IN SOA 15 ns.example.net. hostmaster.example.net. 1 3600 1800 1209600 300
+==> not-rpz.example.net is _not_ an RPZ target and should be processed
+Reply to question for qname='not-rpz.example.net.', qtype=A
+Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0 not-rpz.example.net. IN CNAME 5 rpz-not.com.
www3.example.net. 3600 IN A 192.0.2.3
www4.example.net. 3600 IN A 192.0.2.4
www5.example.net. 3600 IN A 192.0.2.5
+default.example.net. 3600 IN A 192.0.2.42
weirdtxt.example.net. 3600 IN IN TXT "x\014x"
arthur.example.net. 3600 IN NS ns.arthur.example.net.
arthur.example.net. 3600 IN NS ns2.arthur.example.net.
cat > recursor-service3/config.lua <<EOF
rpzFile("$(pwd)/recursor-service3/rpz.zone", {policyName="myRPZ"})
rpzFile("$(pwd)/recursor-service3/rpz2.zone", {policyName="mySecondRPZ"})
+rpzFile("$(pwd)/recursor-service3/rpz3.zone", {policyName="cappedTTLRPZ", maxTTL=5})
+rpzFile("$(pwd)/recursor-service3/rpz4.zone", {policyName="defPolicyTTL", defpol=Policy.Custom, defcontent="default.example.net", defttl=10, maxTTL=20})
+rpzFile("$(pwd)/recursor-service3/rpz5.zone", {policyName="defPolicyCappedTTL", defpol=Policy.Custom, defcontent="default.example.net", defttl=50, maxTTL=20})
+rpzFile("$(pwd)/recursor-service3/rpz6.zone", {policyName="defPolicyWithoutTTL", defpol=Policy.Custom, defcontent="default.example.net"})
+rpzFile("$(pwd)/recursor-service3/rpz7.zone", {policyName="defPolicyWithoutTTLCapped", defpol=Policy.Custom, defcontent="default.example.net", maxTTL=50})
EOF
IFS=. read REV_PREFIX1 REV_PREFIX2 REV_PREFIX3 <<< $(echo $PREFIX) # This will bite us in the ass if we ever test on IPv6
EOF
+cat > recursor-service3/rpz3.zone <<EOF
+\$TTL 2h;
+\$ORIGIN domain.example.
+@ SOA $SOA
+@ NS ns.example.net.
+
+capped-ttl.example.net 50 IN A 192.0.2.35 ; exceeds the maxTTL setting
+unsupported.example.net 50 IN CNAME rpz-unsupported. ; unsupported target
+unsupported2.example.net 50 IN CNAME 32.3.2.0.192.rpz-unsupported. ; also unsupported target
+not-rpz.example.net 50 IN CNAME rpz-not.com. ; this one is not a special RPZ target
+
+EOF
+
+cat > recursor-service3/rpz4.zone <<EOF
+\$TTL 2h;
+\$ORIGIN domain.example.
+@ SOA $SOA
+@ NS ns.example.net.
+
+defpol-with-ttl.example.net 50 IN A 192.0.2.35 ; will be overriden by the default policy and the default TTL
+
+EOF
+
+cat > recursor-service3/rpz5.zone <<EOF
+\$TTL 2h;
+\$ORIGIN domain.example.
+@ SOA $SOA
+@ NS ns.example.net.
+
+defpol-with-ttl-capped.example.net 100 IN A 192.0.2.35 ; will be overriden by the default policy and the default TTL (but capped by maxTTL)
+
+EOF
+
+cat > recursor-service3/rpz6.zone <<EOF
+\$TTL 2h;
+\$ORIGIN domain.example.
+@ SOA $SOA
+@ NS ns.example.net.
+
+defpol-without-ttl.example.net A 192.0.2.35 ; will be overriden by the default policy, but with the zone's TTL
+
+EOF
+
+cat > recursor-service3/rpz7.zone <<EOF
+\$TTL 2h;
+\$ORIGIN domain.example.
+@ SOA $SOA
+@ NS ns.example.net.
+
+defpol-without-ttl-capped.example.net A 192.0.2.35 ; will be overriden by the default policy, but with the zone's TTL capped by maxTTL
+
+EOF
+
cat > recursor-service3/script.lua <<EOF
function prerpz(dq)
if dq.qname:equal('www5.example.net') then
projects / thirdparty / pdns.git / commitdiff
