Add transport-acl system test

This commit adds a new system-test: transport-acl system test. It is
intended to test the new, extended syntax for ACLs, the one where port
or transport protocol can be specified. Currently, it includes the
tests only using allow-transfer statement, as this extended syntax is
used only there, at least for now.

diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am
index f47678ba594d428ca08a9fae421aa63dff6150ed..5fe5b2d83389fcef202a1c049b24c9fec2f9033b 100644 (file)
--- a/bin/tests/system/Makefile.am
+++ b/bin/tests/system/Makefile.am
@@ -157,6 +157,7 @@ TESTS +=                    \
        synthfromdnssec         \
        tkey                    \
        tools                   \
+       transport-acl           \
        tsig                    \
        tsiggss                 \
        ttl                     \

diff --git a/bin/tests/system/transport-acl/clean.sh b/bin/tests/system/transport-acl/clean.sh
new file mode 100644 (file)
index 0000000..bd6739e
--- /dev/null
+++ b/bin/tests/system/transport-acl/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run
+rm -f ./*/named.run.prev
+rm -f ./dig.out.*
+rm -f ./*/example.db
+rm -rf ./headers.*

diff --git a/bin/tests/system/transport-acl/ns1/named.conf.in b/bin/tests/system/transport-acl/ns1/named.conf.in
new file mode 100644 (file)
index 0000000..e46130f
--- /dev/null
+++ b/bin/tests/system/transport-acl/ns1/named.conf.in
@@ -0,0 +1,127 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+       inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+       cert-file "../self-signed-cert.pem";
+       key-file "../self-signed-key.pem";
+};
+
+options {
+       pid-file "named.pid";
+       ##
+       # generic test
+       listen-on port @PORT@ { 10.53.0.1; };
+       listen-on port @TLSPORT@ tls self-signed { 10.53.0.1; };
+       # test #1
+       listen-on port @EXTRAPORT1@ { 10.53.0.1; };
+       listen-on port @EXTRAPORT1@ tls self-signed { 10.53.0.2; };
+       listen-on port @EXTRAPORT2@ { 10.53.0.1; };
+       listen-on port @EXTRAPORT2@ tls self-signed { 10.53.0.2; };
+       # test #2
+       listen-on port @EXTRAPORT1@ { 10.53.0.3; };
+       listen-on port @EXTRAPORT2@ { 10.53.0.3; };
+       listen-on port @EXTRAPORT1@ tls self-signed { 10.53.0.4; };
+       listen-on port @EXTRAPORT2@ tls self-signed { 10.53.0.4; };
+       # test #3
+       listen-on port @EXTRAPORT3@ tls self-signed { 10.53.0.3; };
+       listen-on port @EXTRAPORT4@ tls self-signed { 10.53.0.3; };
+       listen-on port @EXTRAPORT3@ { 10.53.0.4; };
+       listen-on port @EXTRAPORT4@ { 10.53.0.4; };
+       # test #4
+       listen-on port @EXTRAPORT1@ { 10.53.0.5; };
+       listen-on port @EXTRAPORT2@ { 10.53.0.5; };
+       listen-on port @EXTRAPORT1@ tls self-signed { 10.53.0.6; };
+       # test #5
+       listen-on port @EXTRAPORT3@ tls self-signed { 10.53.0.1; };
+       listen-on port @EXTRAPORT4@ tls self-signed { 10.53.0.1; };
+       listen-on port @EXTRAPORT3@ { 10.53.0.2; };
+       # test #6
+       listen-on port @EXTRAPORT5@ { 10.53.0.1; };
+       # test #7
+       listen-on port @EXTRAPORT6@ tls self-signed  { 10.53.0.1; };
+       # test #7
+       listen-on port @EXTRAPORT7@ tls self-signed  { 10.53.0.1; };
+       # test #8
+       listen-on port @EXTRAPORT8@ { 10.53.0.1; };
+       ##
+       listen-on-v6 { none; };
+       recursion no;
+       notify explicit;
+       statistics-file "named.stats";
+       dnssec-validation yes;
+       tcp-initial-timeout 1200;
+};
+
+zone "example0" {
+       type primary;
+       file "example.db";
+       allow-transfer port @TLSPORT@ transport tls { any; };
+};
+
+zone "example1" {
+       type primary;
+       file "example.db";
+       allow-transfer port @EXTRAPORT1@ { any; };
+};
+
+zone "example2" {
+       type primary;
+       file "example.db";
+       allow-transfer transport tcp { any; };
+};
+
+zone "example3" {
+       type primary;
+       file "example.db";
+       allow-transfer transport tls { any; };
+};
+
+zone "example4" {
+       type primary;
+       file "example.db";
+       allow-transfer port @EXTRAPORT1@ transport tcp { any; };
+};
+
+zone "example5" {
+       type primary;
+       file "example.db";
+       allow-transfer port @EXTRAPORT3@ transport tls { any; };
+};
+
+zone "example6" {
+       type primary;
+       file "example.db";
+       allow-transfer port @EXTRAPORT5@ transport tcp { 10.53.0.7; 10.53.0.8; 10.53.0.9; };
+};
+
+zone "example7" {
+       type primary;
+       file "example.db";
+       allow-transfer port @EXTRAPORT6@ transport tls { 10.53.0.7; 10.53.0.8; 10.53.0.9; };
+};
+
+zone "example8" {
+       type primary;
+       file "example.db";
+       allow-transfer port @EXTRAPORT7@ transport tls { 10.53.0.1; 10.53.0.2; 10.53.0.3; };
+};
+
+zone "example9" {
+       type primary;
+       file "example.db";
+       allow-transfer port @EXTRAPORT8@ transport tcp { 10.53.0.7; !10.53.0.8; 10.53.0.9; };
+};

diff --git a/bin/tests/system/transport-acl/self-signed-cert.pem b/bin/tests/system/transport-acl/self-signed-cert.pem
new file mode 100644 (file)
index 0000000..d569353
--- /dev/null
+++ b/bin/tests/system/transport-acl/self-signed-cert.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEwTCCAymgAwIBAgIUJm/nnhqH3omkx9PqEyewJhYg/sQwDQYJKoZIhvcNAQEL
+BQAwbzELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G
+A1UEBwwHS2hhcmtpdjEMMAoGA1UECgwDSVNDMQ8wDQYDVQQLDAZTVy1FbmcxFTAT
+BgNVBAMMDHRlc3QuaXNjLm9yZzAgFw0yMTExMjkxMTQ0MDRaGA8yMTIxMTEzMDEx
+NDQwNFowbzELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQ
+MA4GA1UEBwwHS2hhcmtpdjEMMAoGA1UECgwDSVNDMQ8wDQYDVQQLDAZTVy1Fbmcx
+FTATBgNVBAMMDHRlc3QuaXNjLm9yZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC
+AYoCggGBAM8hzYSedQFajsjJKVnZ3BeWLOGULJO2ixQZ/vMnAk6q5a6JFST5DYVA
+G84S8GKzswZibNNuKJnuuQO3mBE2+Pioc+vxtewxlzbcQ2EaKgbx5IVezzHtQUYw
+WUUdSv7ViKOVeaI9jvXqpYUbbtLogSVkPB+/oWU1Wu4y/TkXc4wEqBxQx+P4kNnj
+stCP7r5HMkvBqQgmod5rjqLFohtIQbEhjSBaoK+td25vWUvfG/isduiKx52tC4k3
+CBnBOIfvgkNmJk5Rh3RufbiyBSCtgBcH3wp9VSByqC7roFQqzBkZm0aCmuggNmXb
+OXU7klEyVmAeiqLvfQSkjNsDmlaTsHCszgIB9RPA4f07KV62uFsdOu0K48yXBnEa
+nZeIFqwuTS+PU7T+SnWQGoJLDvCa6IPERqk+5j94BET84/z942WLVqSLlqAoa1rF
+5686m2Dgj10SRUpE99bmVg+HZRwO/ZbkLgu+tILqpYpnKP6n8FDpjW0Jnl77uw9S
+UeAvbGyw5QIDAQABo1MwUTAdBgNVHQ4EFgQUJV5YRDD9iF+uz9AFx5fA86CtlVQw
+HwYDVR0jBBgwFoAUJV5YRDD9iF+uz9AFx5fA86CtlVQwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAYEAi8sOMYGFs6n1C23vXorx5Zbbym5QkUVgYbxe
+9VaBy0Y/PgvXaxtz8zytbtFhyU5izXNZ7k8A4vnJ/TGxoIj503ArBMZj+CiwIBVI
+yMzheDp+MY4F19OIy/TsQglYeOEhK/PA9uj5GZYE1Ar6Qck4wl2vk3iaTMsaniyV
+zPqCiso2YDLISSvF3nvLcTQ8nX6JyYR/3J0t5biLcissPvubgzguoULRn2VwWw/7
+MaRXXPMTBTyCAylJrSgfBKvYmJcnHHocTAZkGElDaYHfALlR+5K9wi/QYwz3kFpN
+mS55yjSBlPPxH0rZw8fOdCLNbyzPjP+aXXoTUJa5/X7RNGKQTcuohektsuU1quxo
+lugrRYjhiytqBUek3qtBJfmX28LnfZHyKpDpHO6wykQS7FTWb69c6tvAzlwFbH7o
+onyhZz1Z2iXw4u7N4nTlj1VqHVMiEr2KUfxtOm5HQ7tZFSaWIA0HfIRB7WD3Escz
+DY3Bbu9bS711Yywp+NpvOqBSvMon
+-----END CERTIFICATE-----

diff --git a/bin/tests/system/transport-acl/self-signed-key.pem b/bin/tests/system/transport-acl/self-signed-key.pem
new file mode 100644 (file)
index 0000000..5d9748b
--- /dev/null
+++ b/bin/tests/system/transport-acl/self-signed-key.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQDPIc2EnnUBWo7I
+ySlZ2dwXlizhlCyTtosUGf7zJwJOquWuiRUk+Q2FQBvOEvBis7MGYmzTbiiZ7rkD
+t5gRNvj4qHPr8bXsMZc23ENhGioG8eSFXs8x7UFGMFlFHUr+1YijlXmiPY716qWF
+G27S6IElZDwfv6FlNVruMv05F3OMBKgcUMfj+JDZ47LQj+6+RzJLwakIJqHea46i
+xaIbSEGxIY0gWqCvrXdub1lL3xv4rHboisedrQuJNwgZwTiH74JDZiZOUYd0bn24
+sgUgrYAXB98KfVUgcqgu66BUKswZGZtGgproIDZl2zl1O5JRMlZgHoqi730EpIzb
+A5pWk7BwrM4CAfUTwOH9OyletrhbHTrtCuPMlwZxGp2XiBasLk0vj1O0/kp1kBqC
+Sw7wmuiDxEapPuY/eARE/OP8/eNli1aki5agKGtaxeevOptg4I9dEkVKRPfW5lYP
+h2UcDv2W5C4LvrSC6qWKZyj+p/BQ6Y1tCZ5e+7sPUlHgL2xssOUCAwEAAQKCAYAy
+VN9wy2RZKN0rUx5WNAc0QAy13+CZIDFZeBuokCESZpqbN7pImrA7YeGfyKBbC5mE
+AqS5F7qL9SNGEPXFsRr8qUpJ2hk/xKke7pT84nO17k9+TRSB6EoFOThn//86Pz8N
+qQO+dcDoZtVDq+/ZFiBTqrClclZQlo969C7uEZHFQ1hqUQLRlZP1LkxEO8VivUAu
+gmeFkIWi23X0fZuvj3ZPCX0WkI8dQUSVND95nURZv+bBCQAKg4MbG6E/SOFovrzz
+ohKK2zqSU+ncfWROYX/ulKMJKIhOKtxkprBnj2nSemTUEf5gDk9oDqsYClGmEcSL
+XvNxq3WpVt4u7Fsr1QZ6fh/IYIQnKvI/H0wwYojtzkh3FGdb/K0dnKeoebUqlc9Q
+4UwKGshhcbk2130t/zIdd5wnL5uj+xjh0cYSO5JqlcZwXC97SWDmEowCo8M/k8ie
+c9cQeIOXUKvT3DvnEh1LAtfI8gW3g9GVHad4k25dQ4ZSiyXsKL2+mOWn+4WmQx0C
+gcEA6UqykoDp2j6nfMA+5fEfNOplyXJMyTBxMoaFb+cO8P2qjjKOMyLJewXqW/3g
+wWaPcl3dGVCPaqmQxf+fDEarSkDxkroN02YaQy3xdAAZvoUDc00VKq9BFe3TZEuP
+7/sN3t3Ey7K5KVyKgh4cGPqSCCXrk3OPCyiRFxWa4wQAXuntT1iXkXGzXuoDPzCH
+xWRiM+z3se6PdoPXMbJhuL04b4CIUmHSrGbqtO5bi6IDOksIhaKMFs4c7escSF+7
+jj0zAoHBAONLPcUT9uhzMIXe9BBdRYms65G3VjsTbS8MC/QiR6nl5/evQb0hDp0G
+/tbLf9F9QVMA2onhK1mjafHFC4oVrwrLT+VZezKsQm3ICoqOFqxL+6dAu93A2dDA
+99YCc6pCrmagaDpA5tz1UwBwA77pl2aMV2g7iIe2p+hmL6dx6Tp8jN+Mu0KXViyT
+gPG9LITJQSu13EZgRukNnYu7+L2+NWfyGCbfCJ5/2qXmryjefoboR48sa8jZyUmQ
+rf/VAG3phwKBwDE/lqD82+E5tsvMHbsXAtp93Q0AtxsFwe/DnCm6YloXgsjP/Vro
+LhZtckMHPko1p3SiQgmVCyGeODTEOMQzqvda7GRoKIEHHeYurbkqSEUC+W5+yEgh
+hSDm+uhCV1l26z+wG1pRGWuU4JyFVLMlOmzD7I5NJ9ZYMwDni7H+50EiKvnEHwMS
+OKaByjutuAvAnEaP8N48GUcQn/4axSxlraNERAL4KaxBcazOYL8CbaIBswPbA63Q
+xySmrGrO4t4tJwKBwGITmnDKv5Tn930cimXxSUsyAWgcGypcpJVTdmj+zbuDCAg5
+aH1qoTqixR38K4hCqwhc6u/p6GHCgLmhU+xelOxsdGo7pUxlRjjGw72ruB7anpk5
+9pamW5aXXZnL7wr9wPFpr+/LB5M6jHk43HTpqLnIPwMsBSrCZ0uBpHh1T7U7/zGL
+MVZ3pOiRMWeeQHJ/wQ5SZ906N/7iMCQWlSuSwsq6jS9guABknP1PQC+7ag9edVpT
+SaMeTpvewSYOTCQhSwKBwEmZP/Jh76G3bETPSPcIyPB0vgYmYiAftmvtwHzUL14V
+dOfNbwXF6WiepSceLbw99LNpMwfRfKBGVDLRhKMqL7QR8ZKNew5AvfXVZ1yDNKu+
+/4hqFLUhsAARsfNofAzvKOtWmghVBzO9TauAyv3prFgjfvDkA+EZ2amDvXChkP/Q
+7ck2aIUu9Sr4kPTUigIRlu6c18QQiLobXC7yKx6GhEpJsh9xGHHDJqkG16l+u1ju
+bEd5UJArJoST5lff5y7MyQ==
+-----END PRIVATE KEY-----

diff --git a/bin/tests/system/transport-acl/setup.sh b/bin/tests/system/transport-acl/setup.sh
new file mode 100644 (file)
index 0000000..a54dba7
--- /dev/null
+++ b/bin/tests/system/transport-acl/setup.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+$SHELL clean.sh
+
+$SHELL "${TOP_SRCDIR}"/bin/tests/system/genzone.sh 2 > ns1/example.db
+
+copy_setports ns1/named.conf.in ns1/named.conf

diff --git a/bin/tests/system/transport-acl/tests.sh b/bin/tests/system/transport-acl/tests.sh
new file mode 100644 (file)
index 0000000..339ad41
--- /dev/null
+++ b/bin/tests/system/transport-acl/tests.sh
@@ -0,0 +1,120 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+dig_out_basename="dig.out.test"
+testing="testing allow-transfer transport ACL functionality"
+
+dig_with_opts() {
+       # shellcheck disable=SC2086
+       "$DIG" +noadd +nosea +nostat +noquest +nocmd "$@"
+}
+
+status=0
+n=0
+
+run_dig_test () {
+       test_message="$1"
+       shift
+       n=$((n+1))
+       echo_i "$test_message ($n)"
+       ret=0
+       dig_with_opts "$@" > "$dig_out_basename$n" || ret=1
+}
+
+run_dig_expect_axfr_success () {
+       run_dig_test "$@"
+       grep "; Transfer failed" "$dig_out_basename$n" > /dev/null && ret=1
+       if [ $ret != 0 ]; then echo_i "failed"; fi
+       status=$((status+ret))
+}
+
+run_dig_expect_axfr_failure () {
+       run_dig_test "$@"
+       grep "; Transfer failed" "$dig_out_basename$n" > /dev/null || ret=1
+       if [ $ret != 0 ]; then echo_i "failed"; fi
+       status=$((status + ret))
+}
+
+# generic tests
+run_dig_expect_axfr_success "$testing for XoT" -p "${TLSPORT}" +tls -b 10.53.0.10 @10.53.0.1 axfr example0
+
+run_dig_expect_axfr_failure "$testing XFR via TCP (failure expected)" -p "${PORT}" +tcp -b 10.53.0.10 @10.53.0.1 axfr example0
+
+# 1. Test allow-transfer port X, transfer works with TCP and TLS on port X but not port Y.
+
+run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT1}" +tcp -b 10.53.0.10 @10.53.0.1 axfr example1
+
+run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT1}" +tls -b 10.53.0.10 @10.53.0.2 axfr example1
+
+run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p  "${EXTRAPORT2}" +tcp -b 10.53.0.10 @10.53.0.1 axfr example1
+
+run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT2}" +tls -b 10.53.0.10 @10.53.0.2 axfr example1
+
+# 2. Test allow-transfer transport tcp, transfer works with TCP on any port but not TLS.
+
+run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT1}" +tcp -b 10.53.0.10 @10.53.0.3 axfr example2
+
+run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT2}" +tcp -b 10.53.0.10 @10.53.0.3 axfr example2
+
+run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT1}" +tls -b 10.53.0.10 @10.53.0.4 axfr example2
+
+run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT2}" +tls -b 10.53.0.10 @10.53.0.4 axfr example2
+
+# 3. Test allow-transfer transport tls, transfer works with TLS on any port but not TCP.
+run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT3}" +tls -b 10.53.0.10 @10.53.0.3 axfr example3
+
+run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT4}" +tls -b 10.53.0.10 @10.53.0.3 axfr example3
+
+run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT3}" +tcp -b 10.53.0.10 @10.53.0.4 axfr example3
+
+run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT4}" +tcp -b 10.53.0.10 @10.53.0.4 axfr example3
+
+# 4. Test allow-transfer port X transport tcp, transfer works with TCP on port X but not port Y and not with TLS on port X.
+
+run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT1}" +tcp -b 10.53.0.10 @10.53.0.5 axfr example4
+
+run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT2}" +tcp -b 10.53.0.10 @10.53.0.5 axfr example4
+
+run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT1}" +tls -b 10.53.0.10 @10.53.0.6 axfr example4
+
+# 5. Test allow-transfer port X transport tls, transfer works with TLS on port X but not port Y and not with TCP on port X.
+
+run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT3}" +tls -b 10.53.0.10 @10.53.0.1 axfr example5
+
+run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT4}" +tls -b 10.53.0.10 @10.53.0.1 axfr example5
+
+run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT3}" +tcp -b 10.53.0.10 @10.53.0.2 axfr example5
+
+# 6. Test with multiple allow-transfer available, first ACL is a match.
+run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT5}" +tcp -b 10.53.0.7 @10.53.0.1 axfr example6
+
+run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT5}" +tcp -b 10.53.0.6 @10.53.0.1 axfr example6
+
+# 7. Test with multiple allow-transfer available, last ACL is a match.
+run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT6}" +tls -b 10.53.0.9 @10.53.0.1 axfr example7
+
+run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT6}" +tls -b 10.53.0.6 @10.53.0.1 axfr example7
+
+# 8. Test with multiple allow-transfer available, no ACL is a match.
+run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT7}" +tls -b 10.53.0.7 @10.53.0.1 axfr example8
+
+# 9. Test with multiple allow-transfer available, negated ACL is used.
+run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT8}" +tcp -b 10.53.0.7 @10.53.0.1 axfr example9
+
+run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT8}" +tcp -b 10.53.0.8 @10.53.0.1 axfr example9
+
+run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT8}" +tcp -b 10.53.0.9 @10.53.0.1 axfr example9
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1

diff --git a/util/copyrights b/util/copyrights
index 1d43fbd260df1d900cf36b604d218714de413fb2..1a7849476985890e4aa9a2d424e03641dc38c2c7 100644 (file)
--- a/util/copyrights
+++ b/util/copyrights
@@ -823,6 +823,11 @@
 ./bin/tests/system/tools/clean.sh              SH      2017,2018,2019,2020,2021
 ./bin/tests/system/tools/setup.sh              SH      2019,2020,2021
 ./bin/tests/system/tools/tests.sh              SH      2017,2018,2019,2020,2021
+./bin/tests/system/transport-acl/clean.sh      SH      2021
+./bin/tests/system/transport-acl/self-signed-cert.pem  X       2021
+./bin/tests/system/transport-acl/self-signed-key.pem   X       2021
+./bin/tests/system/transport-acl/setup.sh      SH      2021
+./bin/tests/system/transport-acl/tests.sh      SH      2021
 ./bin/tests/system/tsig/ans2/ans.pl            PERL    2020,2021
 ./bin/tests/system/tsig/badlocation            X       2020,2021
 ./bin/tests/system/tsig/badtime                        X       2020,2021