add a test for allow-recursion/allow-query-cache inheritance

allow-recursion is set to "none" in the options block and to
"any" in the view.  allow-query-cache in the view should inherit
the "any", not the "none". (currently this test does not pass.)

diff --git a/bin/tests/system/allow-query/ns3/named5.conf.in b/bin/tests/system/allow-query/ns3/named5.conf.in
new file mode 100644 (file)
index 0000000..81edf10
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named5.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.3; 10.53.1.2; };
+       listen-on-v6 { none; };
+       recursion no;
+       allow-recursion { none; };
+       dnssec-validation no;
+};
+
+key rndc_key {
+       secret "1234abcd8765";
+       algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+       inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view internal {
+        match-destinations { 10.53.0.3; };
+        zone "." {
+                type hint;
+                file "../../_common/root.hint";
+        };
+
+        recursion yes;
+        allow-recursion { any; };
+};

diff --git a/bin/tests/system/allow-query/ns3/named6.conf.in b/bin/tests/system/allow-query/ns3/named6.conf.in
new file mode 100644 (file)
index 0000000..94e796b
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named6.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.3; };
+       listen-on-v6 { none; };
+       recursion no;
+       allow-query-cache { none; };
+       dnssec-validation no;
+};
+
+key rndc_key {
+       secret "1234abcd8765";
+       algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+       inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view internal {
+        match-destinations { 10.53.0.3; };
+        zone "." {
+                type hint;
+                file "../../_common/root.hint";
+        };
+        recursion yes;
+       allow-recursion{ any; };
+};

diff --git a/bin/tests/system/allow-query/ns3/named7.conf.in b/bin/tests/system/allow-query/ns3/named7.conf.in
new file mode 100644 (file)
index 0000000..28a05bf
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named7.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.3; };
+       listen-on-v6 { none; };
+       recursion no;
+       allow-recursion { none; };
+       dnssec-validation no;
+};
+
+key rndc_key {
+       secret "1234abcd8765";
+       algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+       inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view internal {
+        match-destinations { 10.53.0.3; };
+        zone "." {
+                type hint;
+                file "../../_common/root.hint";
+        };
+        recursion yes;
+       allow-query{ any; };
+};

diff --git a/bin/tests/system/allow-query/ns3/named8.conf.in b/bin/tests/system/allow-query/ns3/named8.conf.in
new file mode 100644 (file)
index 0000000..a248f55
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named8.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.3; 10.53.0.4; 10.53.1.2; };
+       listen-on-v6 { none; };
+       recursion no;
+       allow-query-cache { none; };
+       dnssec-validation no;
+};
+
+key rndc_key {
+       secret "1234abcd8765";
+       algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+       inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view internal {
+        zone "." {
+                type hint;
+                file "../../_common/root.hint";
+        };
+
+        recursion yes;
+        allow-query-cache { 10.53.0.3; 10.53.0.4; };
+       allow-query { 10.53.0.4; };
+};

diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
index bfacf7650887381557f3e0e907f733de0bda8e04..f332ce15e1fcc21eebe3d528fecf18f68f20d297 100644 (file)
--- a/bin/tests/system/allow-query/tests.sh
+++ b/bin/tests/system/allow-query/tests.sh
@@ -734,5 +734,76 @@ nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || r
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+# Test 63 - allow-query-cache inheritance from allow-recursion
+n=$((n + 1))
+copy_setports ns3/named5.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: inheritance of allow-query-cache from allow-recursion"
+ret=0
+# this should be allowed
+$DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.1.$n || ret=1
+grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
+# this should be prohibited
+$DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.2.$n || ret=1
+grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
+grep 'EDE: 20' dig.out.ns3.2.$n >/dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Test 64 - allow-query-cache no inheritance from allow-recursion as it is
+# defined in the options
+n=$((n + 1))
+copy_setports ns3/named6.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: allow-query-cache defined in options, so it does not inherit from allow-recursion"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 f.normal.example a >dig.out.ns3.1.$n || ret=1
+grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 20' dig.out.ns3.1.$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Test 65 - allow-query-cache inherits from allow-recursion before allow-query
+n=$((n + 1))
+copy_setports ns3/named7.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: allow-query-cache inherits from allow-recursion before allow-query"
+ret=0
+$DIG -p ${PORT} -b 10.53.0.3 @10.53.0.3 f.normal.example a >dig.out.ns3.1.$n || ret=1
+grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 20' dig.out.ns3.1.$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Test 66 - allow-recursion inheritance from allow-query
+n=$((n + 1))
+copy_setports ns3/named8.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: inheritance of allow-query-cache from allow-recursion"
+ret=0
+# this should be prohibited (10.53.1.2 does not have recursion allowed)
+$DIG -p ${PORT} -b 10.53.1.2 @10.53.1.2 f.normal.example a >dig.out.ns3.1.$n || ret=1
+grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 20' dig.out.ns3.1.$n >/dev/null || ret=1
+# this should be allowed
+$DIG -p ${PORT} -b 10.53.0.4 @10.53.0.4 f.normal.example a >dig.out.ns3.2.$n || ret=1
+grep 'ANSWER: 1' dig.out.ns3.2.$n >/dev/null || ret=1
+# this should be allowed
+$DIG -p ${PORT} -b 10.53.0.4 @10.53.0.4 e.normal.example a >dig.out.ns3.3.$n || ret=1
+grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1
+status=$((status + ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1