Check that missing cookies are handled

(cherry picked from commit bd9155590ec34c27f1af1d00d09791292309064c)

diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common
index 175fbc5d07c4e2d87e68bdb63dc2a38abbe45ff2..65fce6267e6a3684c161772c3269acc8b2fde501 100644 (file)
--- a/bin/tests/system/conf.sh.common
+++ b/bin/tests/system/conf.sh.common
@@ -53,25 +53,95 @@ SEQUENTIAL_COMMON="ecdsa eddsa tkey"
 # parallelism.
 #
 PARALLEL_COMMON="dnssec rpzrecurse serve-stale \
-       acl additional addzone allow-query auth autosign \
-       builtin cacheclean case catz cds chain \
-       checkconf checknames checkzone \
-       cookie database digdelv dlz dlzexternal \
-       dns64 dscp dsdigest dyndb \
-       ednscompliance emptyzones \
-       fetchlimit filter-aaaa formerr forward \
-       geoip2 glue idna inline integrity ixfr \
-       kasp keepalive legacy limits \
-       masterfile masterformat metadata mirror mkeys \
-       names notify nsec3 nslookup nsupdate nzd2nzf \
-       padding pending pipelined qmin \
-       reclimit redirect resolver rndc rootkeysentinel rpz \
-       rrchecker rrl rrsetorder rsabigexponent runtime \
-       sfcache shutdown smartsign sortlist \
-       spf staticstub statistics statschannel stub synthfromdnssec \
-       tcp tools tsig tsiggss ttl \
-       unknown upforwd verify views wildcard \
-       xfer xferquota zero zonechecks"
+acl \
+additional \
+addzone \
+allow-query \
+auth \
+autosign \
+builtin \
+cacheclean \
+case \
+catz \
+cds \
+chain \
+checkconf \
+checknames \
+checkzone \
+database \
+digdelv \
+dlz \
+dlzexternal \
+dns64 \
+dscp \
+dsdigest \
+dyndb \
+ednscompliance \
+emptyzones \
+fetchlimit \
+filter-aaaa \
+formerr \
+forward \
+geoip2 \
+glue \
+idna \
+inline \
+integrity \
+ixfr \
+kasp \
+keepalive \
+legacy \
+limits \
+masterfile \
+masterformat \
+metadata \
+mirror \
+mkeys \
+names \
+notify \
+nsec3 \
+nslookup \
+nsupdate \
+nzd2nzf \
+padding \
+pending \
+pipelined \
+qmin \
+reclimit \
+redirect \
+resolver \
+rndc \
+rootkeysentinel \
+rpz \
+rrchecker \
+rrl \
+rrsetorder \
+rsabigexponent \
+runtime \
+sfcache \
+shutdown \
+smartsign \
+sortlist \
+spf \
+staticstub \
+statistics \
+statschannel \
+stub \
+synthfromdnssec \
+tcp \
+tools \
+tsig \
+tsiggss \
+ttl \
+unknown \
+upforwd \
+verify \
+views \
+wildcard \
+xfer \
+xferquota \
+zero \
+zonechecks"
 
 #
 # Set up color-coded test output

diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 7ffe5ff2a2b9e8a9ae5c99d5000e23856e1ce63c..5967425c8b65d61c578fb971b560a07cfa3a420b 100644 (file)
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -83,7 +83,7 @@ KRB5_CONFIG=/dev/null
 SEQUENTIAL_UNIX="@PKCS11_TEST@"
 SEQUENTIALDIRS="$SEQUENTIAL_COMMON $SEQUENTIAL_UNIX"
 
-PARALLEL_UNIX="@CHECKDS@ @COVERAGE@ @DNSTAP@ @KEYMGR@ logfileconfig"
+PARALLEL_UNIX="@CHECKDS@ @COVERAGE@ @DNSTAP@ @KEYMGR@ cookie logfileconfig"
 PARALLELDIRS="$PARALLEL_COMMON $PARALLEL_UNIX"
 
 SUBDIRS="$SEQUENTIALDIRS $PARALLELDIRS"

diff --git a/bin/tests/system/cookie/.gitignore b/bin/tests/system/cookie/.gitignore
deleted file mode 100644 (file)
index eee491d..0000000
--- a/bin/tests/system/cookie/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-prereq.sh

diff --git a/bin/tests/system/cookie/ans9/ans.py b/bin/tests/system/cookie/ans9/ans.py
new file mode 100644 (file)
index 0000000..b454fc8
--- /dev/null
+++ b/bin/tests/system/cookie/ans9/ans.py
@@ -0,0 +1,277 @@
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import time
+import functools
+
+import dns
+import dns.edns
+import dns.flags
+import dns.message
+import dns.query
+import dns.tsig
+import dns.tsigkeyring
+import dns.version
+
+from dns.edns import *
+from dns.name import *
+from dns.rcode import *
+from dns.rdataclass import *
+from dns.rdatatype import *
+from dns.tsig import *
+
+# Log query to file
+def logquery(type, qname):
+    with open("qlog", "a") as f:
+        f.write("%s %s\n", type, qname)
+
+# DNS 2.0 keyring specifies the algorithm
+try:
+    keyring = dns.tsigkeyring.from_text({ "foo" : {
+                                                   "hmac-sha256",
+                                                   "aaaaaaaaaaaa"
+                                                  } ,
+                                          "fake" : {
+                                                   "hmac-sha256",
+                                                   "aaaaaaaaaaaa"
+                                                  }
+                                         })
+except:
+    keyring = dns.tsigkeyring.from_text({ "foo" : "aaaaaaaaaaaa",
+                                           "fake" : "aaaaaaaaaaaa" })
+
+dopass2 = False
+
+############################################################################
+#
+# This server will serve valid and spoofed answers. A spoofed answer will
+# have the address 10.53.0.10 included.
+#
+# When receiving a query over UDP:
+#
+# A query to "nocookie"/A will result in a spoofed answer with no cookie set.
+# A query to "tcponly"/A will result in a spoofed answer with no cookie set.
+# A query to "withtsig"/A will result in two responses, the first is a spoofed
+# answer that is TSIG signed, the second is a valid answer with a cookie set.
+# A query to anything else will result in a valid answer with a cookie set.
+#
+# When receiving a query over TCP:
+#
+# A query to "nocookie"/A will result in a valid answer with no cookie set.
+# A query to anything else will result in a valid answer with a cookie set.
+#
+############################################################################
+def create_response(msg, tcp, first, ns10):
+    global dopass2
+    m = dns.message.from_wire(msg, keyring=keyring)
+    qname = m.question[0].name.to_text()
+    lqname = qname.lower()
+    labels = lqname.split('.')
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+
+    with open("query.log", "a") as f:
+        f.write("%s %s\n" % (typename, qname))
+        print("%s %s" % (typename, qname), end=" ")
+
+    r = dns.message.make_response(m)
+    r.set_rcode(NOERROR)
+    if rrtype == A:
+        # exempt potential nameserver A records.
+        if labels[0] == "ns" and ns10:
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        else:
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.9"))
+        if not tcp and labels[0] == "nocookie":
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        if not tcp and labels[0] == "tcponly":
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        if first and not tcp and labels[0] == "withtsig":
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+            dopass2 = True
+    elif rrtype == NS:
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, NS, "."))
+    elif rrtype == SOA:
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    else:
+        r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    # Add a server cookie to the response
+    if labels[0] != "nocookie":
+        for o in m.options:
+            if o.otype == 10: # Use 10 instead of COOKIE
+                 if first and labels[0] == "withtsig" and not tcp:
+                     r.use_tsig(keyring = keyring,
+                                keyname = dns.name.from_text("fake"),
+                                algorithm = HMAC_SHA256)
+                 elif labels[0] != "tcponly" or tcp:
+                     cookie = o
+                     if len(o.data) == 8:
+                         cookie.data = o.data + o.data
+                     else:
+                         cookie.data = o.data
+                     r.use_edns(options=[cookie])
+    r.flags |= dns.flags.AA
+    return r
+
+def sigterm(signum, frame):
+    print ("Shutting down now...")
+    os.remove('ans.pid')
+    running = False
+    sys.exit(0)
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4_addr1 = "10.53.0.9"
+ip4_addr2 = "10.53.0.10"
+ip6_addr1 = "fd92:7065:b8e:ffff::9"
+ip6_addr2 = "fd92:7065:b8e:ffff::10"
+
+try: port=int(os.environ['PORT'])
+except: port=5300
+
+query4_udp1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_udp1.bind((ip4_addr1, port))
+query4_tcp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+query4_tcp1.bind((ip4_addr1, port))
+query4_tcp1.listen(1)
+query4_tcp1.settimeout(1)
+
+query4_udp2 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_udp2.bind((ip4_addr2, port))
+query4_tcp2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+query4_tcp2.bind((ip4_addr2, port))
+query4_tcp2.listen(1)
+query4_tcp2.settimeout(1)
+
+havev6 = True
+query6_udp1 = None
+query6_udp2 = None
+query6_tcp1 = None
+query6_tcp2 = None
+try:
+    query6_udp1 = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    query6_udp1.bind((ip6_addr1, port))
+    query6_tcp1 = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+    query6_tcp1.bind((ip6_addr1, port))
+    query6_tcp1.listen(1)
+    query6_tcp1.settimeout(1)
+
+    query6_udp2 = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    query6_udp2.bind((ip6_addr2, port))
+    query6_tcp2 = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+    query6_tcp2.bind((ip6_addr2, port))
+    query6_tcp2.listen(1)
+    query6_tcp2.settimeout(1)
+except:
+    if query6_udp1 != None:
+        query6_udp1.close()
+    if query6_tcp1 != None:
+        query6_tcp1.close()
+    if query6_udp2 != None:
+        query6_udp2.close()
+    if query6_tcp2 != None:
+        query6_tcp2.close()
+    havev6 = False
+
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open('ans.pid', 'w')
+pid = os.getpid()
+print (pid, file=f)
+f.close()
+
+running = True
+
+print ("Using DNS version %s" % dns.version.version)
+print ("Listening on %s port %d" % (ip4_addr1, port))
+print ("Listening on %s port %d" % (ip4_addr2, port))
+if havev6:
+    print ("Listening on %s port %d" % (ip6_addr1, port))
+    print ("Listening on %s port %d" % (ip6_addr2, port))
+print ("Ctrl-c to quit")
+
+if havev6:
+    input = [query4_udp1, query6_udp1, query4_tcp1, query6_tcp1,
+             query4_udp2, query6_udp2, query4_tcp2, query6_tcp2]
+else:
+    input = [query4_udp1, query4_tcp1, query4_udp2, query4_tcp2]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        ns10 = False
+        if s == query4_udp1 or s == query6_udp1 or \
+           s == query4_udp2 or s == query6_udp2:
+            if s == query4_udp1 or s == query6_udp1:
+                print ("UDP Query received on %s" %
+                       (ip4_addr1 if s == query4_udp1 else ip6_addr1), end=" ")
+            if s == query4_udp2 or s == query6_udp2:
+                print ("UDP Query received on %s" %
+                       (ip4_addr2 if s == query4_udp2 else ip6_addr2), end=" ")
+                ns10 = True
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            dopass2 = False
+            rsp = create_response(msg[0], False, True, ns10)
+            print(dns.rcode.to_text(rsp.rcode()))
+            s.sendto(rsp.to_wire(), msg[1])
+            if dopass2:
+                print ("Sending second UDP response without TSIG", end=" ")
+                rsp = create_response(msg[0], False, False, ns10)
+                s.sendto(rsp.to_wire(), msg[1])
+                print(dns.rcode.to_text(rsp.rcode()))
+
+        if s == query4_tcp1 or s == query6_tcp1 or \
+           s == query4_tcp2 or s == query6_tcp2:
+            try:
+                (cs, _) = s.accept()
+                if s == query4_tcp1 or s == query6_tcp1:
+                    print ("TCP Query received on %s" %
+                           (ip4_addr1 if s == query4_tcp1 else ip6_addr1), end=" ")
+                if s == query4_tcp2 or s == query6_tcp2:
+                    print ("TCP Query received on %s" %
+                           (ip4_addr2 if s == query4_tcp2 else ip6_addr2), end=" ")
+                    ns10 = True
+                # get TCP message length
+                buf = cs.recv(2)
+                length = struct.unpack('>H', buf[:2])[0]
+                # grep DNS message
+                msg = cs.recv(length)
+                rsp = create_response(msg, True, True, ns10)
+                print(dns.rcode.to_text(rsp.rcode()))
+                wire = rsp.to_wire()
+                cs.send(struct.pack('>H', len(wire)))
+                cs.send(wire)
+                cs.close()
+            except s.timeout:
+                pass
+    if not running:
+        break

diff --git a/bin/tests/system/cookie/clean.sh b/bin/tests/system/cookie/clean.sh
index c2624a675c7ea62bde0f3316df6565031ae91460..baa2a376312dfe3734ac92cb132192558ee1236b 100644 (file)
--- a/bin/tests/system/cookie/clean.sh
+++ b/bin/tests/system/cookie/clean.sh
@@ -9,9 +9,12 @@
 
 rm -f ns*/named.conf
 rm -f dig.out.*
+rm -f named.run.*
 rm -f rndc.out.*
 rm -f ns1/named_dump.db*
 rm -f ns*/named.memstats
 rm -f ns*/named.run
 rm -f ns*/named.lock
 rm -f ns*/managed-keys.bind*
+rm -f ns*/named.run.prev
+rm -f ans*/ans.run ans*/ans.log ans*/query.log

diff --git a/bin/tests/system/cookie/ns1/named.conf.in b/bin/tests/system/cookie/ns1/named.conf.in
index 4d23c0eaad0e06d2f4bff01f6cddeeb3079e93c8..bbbfd608876bca6f7c125807d486eaf942f74f4f 100644 (file)
--- a/bin/tests/system/cookie/ns1/named.conf.in
+++ b/bin/tests/system/cookie/ns1/named.conf.in
@@ -14,6 +14,15 @@ key rndc_key {
        algorithm hmac-sha256;
 };
 
+key foo {
+       secret "aaaaaaaaaaaa";
+       algorithm hmac-sha256;
+};
+
+server 10.53.0.10 {
+       keys foo;
+};
+
 controls {
        inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };

diff --git a/bin/tests/system/cookie/ns2/root.db b/bin/tests/system/cookie/ns2/root.db
index 96410eeffd3014c140d4829c9ed7fc7e9c576285..d0cea9acd99ffb6274bf80fcb45289fd371fbf03 100644 (file)
--- a/bin/tests/system/cookie/ns2/root.db
+++ b/bin/tests/system/cookie/ns2/root.db
@@ -20,3 +20,7 @@ large.xxx TXT ( large large large large large large large large
                  large large large large large large large large
                  large large large large large large large large
                  large large large large large large large large )
+tld.   NS      ns.tld.
+ns.tld A       10.53.0.9
+tsig.  NS      ns.tsig.
+ns.tsig        A       10.53.0.10

diff --git a/bin/tests/system/cookie/prereq.sh b/bin/tests/system/cookie/prereq.sh
new file mode 100644 (file)
index 0000000..041dc97
--- /dev/null
+++ b/bin/tests/system/cookie/prereq.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0

diff --git a/bin/tests/system/cookie/tests.sh b/bin/tests/system/cookie/tests.sh
index 0633a9242e2b1eb6623074102ca10e9db8baabed..d01a8d5e4b9b8d0b57f3b490995a4d0fc66e2477 100755 (executable)
--- a/bin/tests/system/cookie/tests.sh
+++ b/bin/tests/system/cookie/tests.sh
@@ -303,5 +303,211 @@ grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "check that test server is correctly configured ($n)"
+ret=0
+pat="; COOKIE: ................................ (good)"
+#UDP
+$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null  || ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3
+grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null  || ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4
+grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1
+
+#TCP
+$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5
+grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6
+grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7
+grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8
+grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.8 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that spoofed response is dropped when we have a server cookie ($n)"
+ret=0
+msg="missing expected cookie from"
+pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
+# prime EDNS COOKIE state
+$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+rndc_dumpdb ns1
+grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+# spoofed response contains 10.53.0.10
+nextpart ns1/named.run >/dev/null
+$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2
+wait_for_log 5 "$msg" ns1/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)"
+ret=0
+msg="missing expected cookie from"
+pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
+# prime EDNS COOKIE state
+$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+rndc_dumpdb ns1
+grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+# check the disabled server response
+nextpart ns1/named.run >/dev/null
+$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2
+wait_for_log 5 "$msg" ns1/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)"
+ret=0
+pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
+# prime EDNS COOKIE state
+$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+rndc_dumpdb ns1
+grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+# spoofed response contains 10.53.0.10
+nextpart ns1/named.run >/dev/null
+$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
+nextpart ns1/named.run > named.run.test$n
+count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
+test $count -eq 1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if $PYTHON -c '
+import dns.version, sys;
+if dns.version.MAJOR > 1: sys.exit(0);
+if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0);
+sys.exit(1)'
+then
+  n=`expr $n + 1`
+  echo_i "check that TSIG test server is correctly configured ($n)"
+  ret=0
+  pat="; COOKIE: ................................ (good)"
+  key=hmac-sha256:foo:aaaaaaaaaaaa
+  #UDP
+  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1
+  grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+  grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2
+  grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+  grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null  || ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3
+  grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
+  grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null  || ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  #TCP
+  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5
+  grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
+  grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6
+  grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
+  grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7
+  grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
+  grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  n=`expr $n + 1`
+  echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)"
+  ret=0
+  pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl'
+  # prime EDNS COOKIE state
+  $DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1
+  grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+  rndc_dumpdb ns1
+  grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+  # check the disabled server response
+  nextpart ns1/named.run >/dev/null
+  $DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2
+  grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
+  nextpart ns1/named.run > named.run.test$n
+  count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
+  test $count -eq 2 || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+fi
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

diff --git a/util/copyrights b/util/copyrights
index f5459347bdc5ae6f7dc1d45812bbb4c8b84e640a..36e8e57f4553610acf1aa8b1fe6e45667d6fd1fe 100644 (file)
--- a/util/copyrights
+++ b/util/copyrights
@@ -389,7 +389,9 @@
 ./bin/tests/system/conf.sh.common              SH      2018,2019,2020
 ./bin/tests/system/conf.sh.in                  SH      2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
 ./bin/tests/system/conf.sh.win32               SH      2016,2017,2018,2019,2020
+./bin/tests/system/cookie/ans9/ans.py          PYTHON  2020
 ./bin/tests/system/cookie/clean.sh             SH      2014,2015,2016,2018,2019,2020
+./bin/tests/system/cookie/prereq.sh            SH      2020
 ./bin/tests/system/cookie/setup.sh             SH      2018,2019,2020
 ./bin/tests/system/cookie/tests.sh             SH      2014,2015,2016,2017,2018,2019,2020
 ./bin/tests/system/coverage/01-ksk-inactive/README     X       2013,2018,2019,2020