zone "mixed-case-rpz";
zone "evil-cname" policy cname a12.tld2. ede blocked;
zone "wild-cname" ede blocked;
+ zone "slow-rpz";
}
add-soa yes
min-ns-dots 0
min-update-interval 0
nsdname-enable yes
nsip-enable yes
+ servfail-until-ready yes
;
also-notify { 10.53.0.3 port @EXTRAPORT1@; };
notify no;
};
+zone "slow-rpz." {
+ type primary;
+ file "slow-rpz.db";
+ notify no;
+};
+
zone "fast-expire." {
type secondary;
file "fast-expire.db";
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ SOA mixed-case-rpz. hostmaster.ns.mixed-case-rpz. ( 1 3600 1200 604800 60 )
+ NS ns.tld3.
+
+$GENERATE 1-30 host$ CNAME .
cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
+# a "big" zone (tested with '-T rpzslow' enabled to slow down loading)
+cp ns3/slow-rpz.db.in ns3/slow-rpz.db
+
# a zone that expires quickly and then can't be refreshed
cp ns5/fast-expire.db.in ns5/fast-expire.db
cp ns5/expire.conf.in ns5/expire.conf
HAVE_CORE=
+NS_PARAMS="-m record -c named.conf -d 99 -g"
+
status=0
t=0
$DIG a7-2.tld2s -p ${PORT} @$ns6 +cd >dig.out.${t} || setret "failed"
grep -w "1.1.1.1" dig.out.${t} >/dev/null || setret "failed"
+t=$((t + 1))
+echo_i "checking that 'servfail-until-ready yes' works (part 1) (${t})"
+# Restart ns3 with '-T rpzslow'
+stop_server ns3
+nextpart ns3/named.run >/dev/null
+start_server --noclean --restart --port ${PORT} ns3 -- "-D rpz-ns3 $NS_PARAMS -T rpzslow"
+wait_for_log 10 "all zones loaded" ns3/named.run
+# Just any query that is expected to success normally, but should return
+# SERVFAIL because RPZ is still processing.
+$DIG tld2. NS -p ${PORT} @$ns3 >dig.out.${t} || setret "failed"
+grep "status: SERVFAIL" dig.out.${t} >/dev/null || setret "failed"
+
+t=$((t + 1))
+echo_i "checking that 'servfail-until-ready yes' works (part 2) (${t})"
+# The 'slow-rpz.' zone has 30 records (RPZ rules), and '-T rpzslow' forces a
+# 100ms delay for each rule. Wait enough time for processing to finish.
+wait_for_log 10 "slow-rpz: reload done" ns3/named.run
+# Now the same request as in the previous test should return NOERROR
+$DIG tld2. NS -p ${PORT} @$ns3 >dig.out.${t} || setret "failed"
+grep "status: NOERROR" dig.out.${t} >/dev/null || setret "failed"
+
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
