DNSRPSCMD=./dnsrps
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s"
-# Run the tests twice, first without DNSRPS and then with if it is available
-if [ -z "$DNSRPS_TEST_MODE" ]; then
- if [ -e dnsrps-only ]; then
- echo "I:'dnsrps-only' found: skipping native RPZ sub-test"
- else
- echo "I:running native RPZ sub-test"
- $SHELL ./$0 -Dnative $ARGS || status=1
- fi
-
- if [ -e dnsrps-off ]; then
- echo "I:'dnsrps-off' found: skipping DNSRPS sub-test"
- else
- echo "I:attempting to configure servers with DNSRPS..."
- $PERL $SYSTEMTESTTOP/stop.pl .
- $SHELL ./setup.sh -D $DEBUG
- sed -n 's/^## /I:/p' dnsrps.conf
- if grep '^#fail' dnsrps.conf >/dev/null; then
- echo "I:exit status: 1"
- exit 1
- fi
- if test -z "`grep '^#skip' dnsrps.conf`"; then
- echo "I:running DNSRPS sub-test"
- $PERL $SYSTEMTESTTOP/start.pl --noclean --restart .
- $SHELL ./$0 $ARGS -Ddnsrps || status=1
- else
- echo "I:DNSRPS sub-test skipped"
- fi
- fi
-
- echo "I:exit status: $status"
- exit $status
-fi
-
if test -x $DNSRPSCMD; then
# speed up the many delays for dnsrpzd by waiting only 0.1 seconds
WAIT_CMD="$DNSRPSCMD -w 0.1"
return 1
}
+nsd() {
+ $NSUPDATE -p 5300 << EOF
+ server $1
+ ttl 300
+ update $2 $3 IN CNAME .
+ update $2 $4 IN CNAME .
+ send
+EOF
+ sleep 2
+}
# make prototype files to check against rewritten results
digcmd nonexistent @$ns2 >proto.nxdomain
digcmd txt-only.tld2 @$ns2 >proto.nodata
-start_group "QNAME rewrites" test1
-nochange . # 1 do not crash or rewrite root
-nxdomain a0-1.tld2 # 2
-nodata a3-1.tld2 # 3
-nodata a3-2.tld2 # 4 nodata at DNAME itself
-nochange sub.a3-2.tld2 # 5 miss where DNAME might work
-nxdomain a4-2.tld2 # 6 rewrite based on CNAME target
-nxdomain a4-2-cname.tld2 # 7
-nodata a4-3-cname.tld2 # 8
-addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement
-addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard
-addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME
-addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain
-addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone
-nochange a6-1.tld2 # 14
-addr 127.6.2.1 a6-2.tld2 # 15
-addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME
-addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME
-addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain
-addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain
-nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required
-nochange a5-3.tld2 +norecurse # 21
-nochange a5-4.tld2 +norecurse # 22
-nochange sub.a5-4.tld2 +norecurse # 23
-nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c
-nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures
-nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures
-nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures
-nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain
-nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain
-nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record
-nxdomain a0-1.tld2s srv +nodnssec # 31
-drop a3-8.tld2 any # 32 drop
-nochange tcp a3-9.tld2 # 33 tcp-only
-here x.servfail <<'EOF' # 34 qname-wait-recurse yes
+case "$DNSRPS_TEST_MODE" in
+''|native|dnsrps);;
+*)
+ echo "bad test mode'${DNSRPS_TEST_MODE}' should be 'native' or 'dnsrps'"
+ exit 1
+ ;;
+esac
+
+for mode in ${DNSRPS_TEST_MODE:-native dnsrps}
+do
+ status=0
+ case ${mode} in
+ native)
+ if [ ${DNSRPS_TEST_MODE:-unset} = unset -a -e dnsrps-only ] ; then
+ echo "I:'dnsrps-only' found: skipping native RPZ sub-test"
+ continue
+ fi
+ ;;
+ dnsrps)
+ if [ ${DNSRPS_TEST_MODE:-unset} = unset -a -e dnsrps-off ] ; then
+ echo "I:'dnsrps-off' found: skipping DNSRPS sub-test"
+ continue
+ fi
+ if grep '^#skip' dnsrps.conf > /dev/null ; then
+ echo "I:DNSRPS sub-test skipped"
+ continue
+ fi
+ $PERL $SYSTEMTESTTOP/stop.pl .
+ $SHELL ./setup.sh -N -D $DEBUG
+ $PERL $SYSTEMTESTTOP/start.pl --noclean --restart .
+ ;;
+ esac
+ sed -n 's/^## /I:/p' dnsrps.conf
+
+ start_group "QNAME rewrites" test1
+ nochange . # 1 do not crash or rewrite root
+ nxdomain a0-1.tld2 # 2
+ nodata a3-1.tld2 # 3
+ nodata a3-2.tld2 # 4 nodata at DNAME itself
+ nochange sub.a3-2.tld2 # 5 miss where DNAME might work
+ nxdomain a4-2.tld2 # 6 rewrite based on CNAME target
+ nxdomain a4-2-cname.tld2 # 7
+ nodata a4-3-cname.tld2 # 8
+ addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement
+ addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard
+ addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME
+ addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain
+ addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone
+ nochange a6-1.tld2 # 14
+ addr 127.6.2.1 a6-2.tld2 # 15
+ addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME
+ addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME
+ addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain
+ addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain
+ nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required
+ nochange a5-3.tld2 +norecurse # 21
+ nochange a5-4.tld2 +norecurse # 22
+ nochange sub.a5-4.tld2 +norecurse # 23
+ nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c
+ nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures
+ nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures
+ nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures
+ nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain
+ nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain
+ nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record
+ nxdomain a0-1.tld2s srv +nodnssec # 31
+ drop a3-8.tld2 any # 32 drop
+ nochange tcp a3-9.tld2 # 33 tcp-only
+ here x.servfail <<'EOF' # 34 qname-wait-recurse yes
;; status: SERVFAIL, x
EOF
-addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no
-end_group
-ckstats $ns3 test1 ns3 22
-ckstats $ns5 test1 ns5 1
-ckstats $ns6 test1 ns6 0
-
-start_group "NXDOMAIN/NODATA action on QNAME trigger" test1
-nxdomain a0-1.tld2 @$ns6 # 1
-nodata a3-1.tld2 @$ns6 # 2
-nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself
-nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target
-nxdomain a4-2-cname.tld2 @$ns6 # 5
-nodata a4-3-cname.tld2 @$ns6 # 6
-addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement
-addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard
-addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone
-addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME
-addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain
-addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12
-addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME
-addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME
-addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain
-addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain
-nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c
-nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs
-nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19
-drop a3-8.tld2 any @$ns6 # 20 drop
-end_group
-ckstatsrange $ns3 test1 ns3 22 30
-ckstats $ns5 test1 ns5 0
-ckstats $ns6 test1 ns6 0
-
-start_group "IP rewrites" test2
-nodata a3-1.tld2 # 1 NODATA
-nochange a3-2.tld2 # 2 no policy record so no change
-nochange a4-1.tld2 # 3 obsolete PASSTHRU record style
-nxdomain a4-2.tld2 # 4
-nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite
-nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite
-nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite
-nodata a4-3.tld2 # 8
-nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy
-nochange a4-1-aaaa.tld2 -taaaa # 10
-addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address
-addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone
-nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14
-addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP
-nochange a4-4.tld2 # 15 PASSTHRU
-nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c
-addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger
-nxdomain a7-1.tld2 # 18 slave policy zone (RT34450)
-cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
-$RNDCCMD $ns2 reload bl.tld2
-ck_soa 2 bl.tld2 $ns3
-nochange a7-1.tld2 # 19 PASSTHRU
-sleep 1 # ensure that a clock tick has occured so that named will do the reload
-cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
-$RNDCCMD $ns2 reload bl.tld2
-ck_soa 3 bl.tld2 $ns3
-nxdomain a7-1.tld2 # 20 slave policy zone (RT34450)
-end_group
-ckstats $ns3 test2 ns3 12
-
-# check that IP addresses for previous group were deleted from the radix tree
-start_group "radix tree deletions"
-nochange a3-1.tld2
-nochange a3-2.tld2
-nochange a4-1.tld2
-nochange a4-2.tld2
-nochange a4-2.tld2 -taaaa
-nochange a4-2.tld2 -ttxt
-nochange a4-2.tld2 -tany
-nochange a4-3.tld2
-nochange a3-1.tld2 -tAAAA
-nochange a4-1-aaaa.tld2 -tAAAA
-nochange a5-1-2.tld2
-end_group
-ckstats $ns3 'radix tree deletions' ns3 0
-
-# these tests assume "min-ns-dots 0"
-start_group "NSDNAME rewrites" test3
-nochange a3-1.tld2 # 1
-nochange a3-1.tld2 +dnssec # 2 this once caused problems
-nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME
-nxdomain a3-1.subsub.sub1.tld2
-nxdomain a3-1.subsub.sub1.tld2 -tany
-addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2
-nochange a3-2.tld2. # 7 exempt rewrite by name
-nochange a0-1.tld2. # 8 exempt rewrite by address block
-addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME
-addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME
-addr 127.0.0.2 a3-1.subsub.sub3.tld2
-nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash
-if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then
+ addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no
+ end_group
+ ckstats $ns3 test1 ns3 22
+ ckstats $ns5 test1 ns5 1
+ ckstats $ns6 test1 ns6 0
+
+ start_group "NXDOMAIN/NODATA action on QNAME trigger" test1
+ nxdomain a0-1.tld2 @$ns6 # 1
+ nodata a3-1.tld2 @$ns6 # 2
+ nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself
+ nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target
+ nxdomain a4-2-cname.tld2 @$ns6 # 5
+ nodata a4-3-cname.tld2 @$ns6 # 6
+ addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement
+ addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard
+ addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone
+ addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME
+ addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain
+ addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12
+ addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME
+ addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME
+ addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain
+ addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain
+ nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c
+ nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs
+ nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19
+ drop a3-8.tld2 any @$ns6 # 20 drop
+ end_group
+ ckstatsrange $ns3 test1 ns3 22 30
+ ckstats $ns5 test1 ns5 0
+ ckstats $ns6 test1 ns6 0
+
+ start_group "IP rewrites" test2
+ nodata a3-1.tld2 # 1 NODATA
+ nochange a3-2.tld2 # 2 no policy record so no change
+ nochange a4-1.tld2 # 3 obsolete PASSTHRU record style
+ nxdomain a4-2.tld2 # 4
+ nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite
+ nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite
+ nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite
+ nodata a4-3.tld2 # 8
+ nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy
+ nochange a4-1-aaaa.tld2 -taaaa # 10
+ addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address
+ addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone
+ nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14
+ addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP
+ nochange a4-4.tld2 # 15 PASSTHRU
+ nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c
+ addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger
+ nxdomain a7-1.tld2 # 18 slave policy zone (RT34450)
+ cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
+ $RNDCCMD $ns2 reload bl.tld2
+ ck_soa 2 bl.tld2 $ns3
+ nochange a7-1.tld2 # 19 PASSTHRU
+ sleep 1 # ensure that a clock tick has occured so that named will do the reload
+ cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
+ $RNDCCMD $ns2 reload bl.tld2
+ ck_soa 3 bl.tld2 $ns3
+ nxdomain a7-1.tld2 # 20 slave policy zone (RT34450)
+ end_group
+ ckstats $ns3 test2 ns3 12
+
+ # check that IP addresses for previous group were deleted from the radix tree
+ start_group "radix tree deletions"
+ nochange a3-1.tld2
+ nochange a3-2.tld2
+ nochange a4-1.tld2
+ nochange a4-2.tld2
+ nochange a4-2.tld2 -taaaa
+ nochange a4-2.tld2 -ttxt
+ nochange a4-2.tld2 -tany
+ nochange a4-3.tld2
+ nochange a3-1.tld2 -tAAAA
+ nochange a4-1-aaaa.tld2 -tAAAA
+ nochange a5-1-2.tld2
+ end_group
+ ckstats $ns3 'radix tree deletions' ns3 0
+
+ # these tests assume "min-ns-dots 0"
+ start_group "NSDNAME rewrites" test3
+ nochange a3-1.tld2 # 1
+ nochange a3-1.tld2 +dnssec # 2 this once caused problems
+ nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME
+ nxdomain a3-1.subsub.sub1.tld2
+ nxdomain a3-1.subsub.sub1.tld2 -tany
+ addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2
+ nochange a3-2.tld2. # 7 exempt rewrite by name
+ nochange a0-1.tld2. # 8 exempt rewrite by address block
+ addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME
+ addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME
+ addr 127.0.0.2 a3-1.subsub.sub3.tld2
+ nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash
+ if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then
addr 12.12.12.12 as-ns.tld5. # 13 qname-as-ns
-fi
-end_group
-if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then
+ fi
+ end_group
+ if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then
ckstats $ns3 test3 ns3 8
-else
+ else
ckstats $ns3 test3 ns3 7
-fi
-
-# these tests assume "min-ns-dots 0"
-start_group "NSIP rewrites" test4
-nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2
-nochange a3-2.tld2. # 2 exempt rewrite by name
-nochange a0-1.tld2. # 3 exempt rewrite by address block
-nochange a3-1.tld4 # 4 different NS IP address
-if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then
- addr 12.12.12.12 as-ns.tld5. # 5 ip-as-ns
-fi
-end_group
-
-start_group "walled garden NSIP rewrites" test4a
-addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2
-addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2
-here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2
+ fi
+
+ # these tests assume "min-ns-dots 0"
+ start_group "NSIP rewrites" test4
+ nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2
+ nochange a3-2.tld2. # 2 exempt rewrite by name
+ nochange a0-1.tld2. # 3 exempt rewrite by address block
+ nochange a3-1.tld4 # 4 different NS IP address
+ if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then
+ addr 12.12.12.12 as-ns.tld5. # 5 ip-as-ns
+ fi
+ end_group
+
+ start_group "walled garden NSIP rewrites" test4a
+ addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2
+ addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2
+ here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2
;; status: NOERROR, x
a3-1.tld2. x IN TXT "NSIP walled garden"
EOF
-end_group
-if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then
+ end_group
+ if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then
ckstats $ns3 test4 ns3 5
-else
+ else
ckstats $ns3 test4 ns3 4
-fi
-
-# policies in ./test5 overridden by response-policy{} in ns3/named.conf
-# and in ns5/named.conf
-start_group "policy overrides" test5
-addr 127.0.0.1 a3-1.tld2 # 1 bl-given
-nochange a3-2.tld2 # 2 bl-passthru
-nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru
-nochange a3-4.tld2 # 4 bl-disabled
-nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no
-nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no
-nodata a3-5.tld2 # 7 bl-nodata not needed
-nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no
-nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec
-nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec
-nxdomain a3-6.tld2 # 11 bl-nxdomain
-here a3-7.tld2 -tany <<'EOF'
+ fi
+
+ # policies in ./test5 overridden by response-policy{} in ns3/named.conf
+ # and in ns5/named.conf
+ start_group "policy overrides" test5
+ addr 127.0.0.1 a3-1.tld2 # 1 bl-given
+ nochange a3-2.tld2 # 2 bl-passthru
+ nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru
+ nochange a3-4.tld2 # 4 bl-disabled
+ nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no
+ nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no
+ nodata a3-5.tld2 # 7 bl-nodata not needed
+ nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no
+ nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec
+ nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec
+ nxdomain a3-6.tld2 # 11 bl-nxdomain
+ here a3-7.tld2 -tany <<'EOF'
;; status: NOERROR, x
a3-7.tld2. x IN CNAME txt-only.tld2.
txt-only.tld2. x IN TXT "txt-only-tld2"
EOF
-addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname
-addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname
-addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2
-addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100
-addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90
-drop a3-18.tld2 any # 18 bl-drop
-nxdomain TCP a3-19.tld2 # 19 bl-tcp-only
-end_group
-ckstats $ns3 test5 ns3 12
-ckstats $ns5 test5 ns5 4
-
-
-# check that miscellaneous bugs are still absent
-start_group "crashes" test6
-for Q in RRSIG SIG ANY 'ANY +dnssec'; do
+ addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname
+ addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname
+ addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2
+ addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100
+ addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90
+ drop a3-18.tld2 any # 18 bl-drop
+ nxdomain TCP a3-19.tld2 # 19 bl-tcp-only
+ end_group
+ ckstats $ns3 test5 ns3 12
+ ckstats $ns5 test5 ns5 4
+
+ # check that miscellaneous bugs are still absent
+ start_group "crashes" test6
+ for Q in RRSIG SIG ANY 'ANY +dnssec'; do
nocrash a3-1.tld2 -t$Q
nocrash a3-2.tld2 -t$Q
nocrash a3-5.tld2 -t$Q
nocrash www.redirect -t$Q
nocrash www.credirect -t$Q
-done
+ done
-# This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
-# (or whatever) is available by publishing "foo A 10.2.3.4" and then
-# resolving foo.
-# nxdomain 32.3.2.1.127.rpz-ip
-end_group
-ckstats $ns3 bugs ns3 8
+ # This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
+ # (or whatever) is available by publishing "foo A 10.2.3.4" and then
+ # resolving foo.
+ # nxdomain 32.3.2.1.127.rpz-ip
+ end_group
+ ckstats $ns3 bugs ns3 8
-# superficial test for major performance bugs
-QPERF=`sh qperf.sh`
-if test -n "$QPERF"; then
+ # superficial test for major performance bugs
+ QPERF=`sh qperf.sh`
+ if test -n "$QPERF"; then
perf () {
date "+I:${TS}checking performance $1"
# Dry run to prime everything
ckstats $ns5 performance ns5 200
-else
+ else
echo "I:performance not checked; queryperf not available"
-fi
+ fi
-if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then
+ if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then
echo "I:checking that dnsrpzd is automatically restarted"
OLD_PID=`cat dnsrpzd.pid`
$KILL "$OLD_PID"
fi
$WAIT_CMD
done
-fi
-
+ fi
-# restart the main test RPZ server to see if that creates a core file
-if test -z "$HAVE_CORE"; then
+ # restart the main test RPZ server to see if that creates a core file
+ if test -z "$HAVE_CORE"; then
$PERL $SYSTEMTESTTOP/stop.pl . ns3
restart 3
HAVE_CORE=`find ns* -name '*core*' -print`
test -z "$HAVE_CORE" || setret "I:found $HAVE_CORE; memory leak?"
-fi
+ fi
-# look for complaints from lib/dns/rpz.c and bin/name/query.c
-EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run`
-if test -n "$EMSGS"; then
+ # look for complaints from lib/dns/rpz.c and bin/name/query.c
+ EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run`
+ if test -n "$EMSGS"; then
setret "I:error messages in $EMSGS starting with:"
egrep 'invalid rpz|rpz.*failed' ns*/named.run | sed -e '10,$d' -e 's/^/I: /'
-fi
-
-t=`expr $t + 1`
-echo "I:checking that ttl values are not zeroed when qtype is '*' (${t})"
-$DIG +noall +answer -p 5300 @$ns3 any a3-2.tld2 > dig.out.$t
-ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.$t`
-if test ${ttl:=0} -eq 0; then setret I:failed; fi
+ fi
+ t=`expr $t + 1`
+ echo "I:checking that ttl values are not zeroed when qtype is '*' (${t})"
+ $DIG +noall +answer -p 5300 @$ns3 any a3-2.tld2 > dig.out.$t
+ ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.$t`
+ if test ${ttl:=0} -eq 0; then setret I:failed; fi
-t=`expr $t + 1`
-echo "I:checking rpz updates/transfers with parent nodes added after children" \
+ t=`expr $t + 1`
+ echo "I:checking rpz updates/transfers with parent nodes added after children" \
| tr -d '\n'
-# regression test for RT #36272: the success condition
-# is the slave server not crashing.
-nsd() {
- $NSUPDATE -p 5300 << EOF
-server $1
-ttl 300
-update $2 $3 IN CNAME .
-update $2 $4 IN CNAME .
-send
-EOF
- sleep 2
-}
-for i in 1 2 3 4 5; do
+ # regression test for RT #36272: the success condition
+ # is the slave server not crashing.
+ for i in 1 2 3 4 5; do
nsd $ns5 add example.com.policy1. '*.example.com.policy1.'
echo . | tr -d '\n'
nsd $ns5 delete example.com.policy1. '*.example.com.policy1.'
echo . | tr -d '\n'
-done
-for i in 1 2 3 4 5; do
+ done
+ for i in 1 2 3 4 5; do
nsd $ns5 add '*.example.com.policy1.' example.com.policy1.
echo . | tr -d '\n'
nsd $ns5 delete '*.example.com.policy1.' example.com.policy1.
echo . | tr -d '\n'
-done
-echo " (${t})"
-
-
-t=`expr $t + 1`
-echo "I:checking that going from an empty policy zone works (${t})"
-nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
-sleep 1
-$RNDCCMD $ns7 reload policy2
-$DIG z.x.servfail -p 5300 @$ns7 > dig.out.${t}
-grep NXDOMAIN dig.out.${t} > /dev/null || setret I:failed
-
-# dnsrps does not allow NS RRs in policy zones, so this check
-# with dnsrps results in no rewriting.
-if [ "$DNSRPS_TEST_MODE" = native ]; then
+ done
+ echo " (${t})"
+
+ t=`expr $t + 1`
+ echo "I:checking that going from an empty policy zone works (${t})"
+ nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
+ sleep 1
+ $RNDCCMD $ns7 reload policy2
+ $DIG z.x.servfail -p 5300 @$ns7 > dig.out.${t}
+ grep NXDOMAIN dig.out.${t} > /dev/null || setret I:failed
+
+ # dnsrps does not allow NS RRs in policy zones, so this check
+ # with dnsrps results in no rewriting.
+ if [ "$DNSRPS_TEST_MODE" = native ]; then
t=`expr $t + 1`
echo "I:checking rpz with delegation fails correctly (${t})"
$DIG -p 5300 @$ns3 ns example.com > dig.out.$t
grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "I:failed"
-fi
+ fi
+
+ [ $status -ne 0 ] && pf=fail || pf=pass
+ case $DNSRPS_TEST_MODE in
+ native)
+ native=$status
+ echo "I:status (native RPZ sub-test): $status ($pf)";;
+
+ dnsrps)
+ dnsrps=$status
+ echo "I:status (DNSRPS sub-test): $status ($pf)";;
+ *) echo "I:invalid test mode";;
+ esac
+done
+status=`expr ${native:-0} + ${dnsrps:-0}`
-[ $status -ne 0 ] && pf=fail || pf=pass
-case $DNSRPS_TEST_MODE in
- native) echo "I:status (native RPZ sub-test): $status ($pf)";;
- dnsrps) echo "I:status (DNSRPS sub-test): $status ($pf)";;
- *) echo "I:invalid test mode";;
-esac
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
