From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 20 Feb 2017 10:06:19 +0000 (+0100)
Subject: rec: Fix TTLs in existing RPZ regression tests, add new ones
X-Git-Tag: rec-4.1.0-alpha1~201^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1008b79a297837823329f2a3293a928ddf335ec5;p=thirdparty%2Fpdns.git

rec: Fix TTLs in existing RPZ regression tests, add new ones
---

diff --git a/regression-tests.recursor/RPZ/command b/regression-tests.recursor/RPZ/command
index 783f62e3fa..420c8969f6 100755
--- a/regression-tests.recursor/RPZ/command
+++ b/regression-tests.recursor/RPZ/command
@@ -16,3 +16,19 @@ echo "==> www.hijackme.example.net is served on ns.hijackme.example.net, which s
 $SDIG $nameserver 5301 www.hijackme.example.net a recurse 2>&1
 echo "==> host.lowercase-outgoing.example.net is served on ns.lowercase-outgoing.example.net, blocked by NS IP rule"
 $SDIG $nameserver 5301 host.lowercase-outgoing.example.net a recurse 2>&1
+echo "==> capped-ttl.example.net TTL exceeds the maximum TTL for the zone"
+$SDIG $nameserver 5301 capped-ttl.example.net a recurse 2>&1
+echo "==> defpol-with-ttl.example.net should use the default policy's TTL and not the zone one"
+$SDIG $nameserver 5301 defpol-with-ttl.example.net a recurse 2>&1
+echo "==> defpol-with-ttl-capped.example.net should use the default policy's TTL, but capped to maxTTL"
+$SDIG $nameserver 5301 defpol-with-ttl-capped.example.net a recurse 2>&1
+echo "==> defpol-without-ttl.example.net should use the zone's TTL"
+$SDIG $nameserver 5301 defpol-without-ttl.example.net a recurse 2>&1
+echo "==> defpol-without-ttl-capped.example.net should use the zone's TTL but capped to maxTTL"
+$SDIG $nameserver 5301 defpol-without-ttl-capped.example.net a recurse 2>&1
+echo "==> unsupported.example.net has an unsupported target, should be ignored from the RPZ zone"
+$SDIG $nameserver 5301 unsupported.example.net a recurse 2>&1
+echo "==> unsupported2.example.net has an unsupported target, should be ignored from the RPZ zone"
+$SDIG $nameserver 5301 unsupported2.example.net a recurse 2>&1
+echo "==> not-rpz.example.net is _not_ an RPZ target and should be processed"
+$SDIG $nameserver 5301 not-rpz.example.net a recurse 2>&1
diff --git a/regression-tests.recursor/RPZ/expected_result b/regression-tests.recursor/RPZ/expected_result
index baf59124e7..d385d00c93 100644
--- a/regression-tests.recursor/RPZ/expected_result
+++ b/regression-tests.recursor/RPZ/expected_result
@@ -11,7 +11,7 @@ Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
 ==> www.example.net RPZ local data to www2.example.net
 Reply to question for qname='www.example.net.', qtype=A
 Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
-0	www.example.net.	IN	CNAME	0	www2.example.net.
+0	www.example.net.	IN	CNAME	7200	www2.example.net.
 0	www2.example.net.	IN	A	15	192.0.2.2
 ==> www4.example.net RPZ IP trigger action, dropped
 ==> trillian.example.net NXDOMAIN
@@ -28,3 +28,39 @@ Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
 ==> host.lowercase-outgoing.example.net is served on ns.lowercase-outgoing.example.net, blocked by NS IP rule
 Reply to question for qname='host.lowercase-outgoing.example.net.', qtype=A
 Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+==> capped-ttl.example.net TTL exceeds the maximum TTL for the zone
+Reply to question for qname='capped-ttl.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0	capped-ttl.example.net.	IN	A	5	192.0.2.35
+==> defpol-with-ttl.example.net should use the default policy's TTL and not the zone one
+Reply to question for qname='defpol-with-ttl.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0	defpol-with-ttl.example.net.	IN	CNAME	10	default.example.net.
+0	default.example.net.	IN	A	15	192.0.2.42
+==> defpol-with-ttl-capped.example.net should use the default policy's TTL, but capped to maxTTL
+Reply to question for qname='defpol-with-ttl-capped.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0	defpol-with-ttl-capped.example.net.	IN	CNAME	20	default.example.net.
+0	default.example.net.	IN	A	15	192.0.2.42
+==> defpol-without-ttl.example.net should use the zone's TTL
+Reply to question for qname='defpol-without-ttl.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0	defpol-without-ttl.example.net.	IN	CNAME	7200	default.example.net.
+0	default.example.net.	IN	A	15	192.0.2.42
+==> defpol-without-ttl-capped.example.net should use the zone's TTL but capped to maxTTL
+Reply to question for qname='defpol-without-ttl-capped.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0	defpol-without-ttl-capped.example.net.	IN	CNAME	50	default.example.net.
+0	default.example.net.	IN	A	15	192.0.2.42
+==> unsupported.example.net has an unsupported target, should be ignored from the RPZ zone
+Reply to question for qname='unsupported.example.net.', qtype=A
+Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+1	example.net.	IN	SOA	15	ns.example.net. hostmaster.example.net. 1 3600 1800 1209600 300
+==> unsupported2.example.net has an unsupported target, should be ignored from the RPZ zone
+Reply to question for qname='unsupported2.example.net.', qtype=A
+Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+1	example.net.	IN	SOA	15	ns.example.net. hostmaster.example.net. 1 3600 1800 1209600 300
+==> not-rpz.example.net is _not_ an RPZ target and should be processed
+Reply to question for qname='not-rpz.example.net.', qtype=A
+Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0	not-rpz.example.net.	IN	CNAME	5	rpz-not.com.
diff --git a/regression-tests.recursor/config.sh b/regression-tests.recursor/config.sh
index d7713360d0..58fc79788b 100755
--- a/regression-tests.recursor/config.sh
+++ b/regression-tests.recursor/config.sh
@@ -91,6 +91,7 @@ www2.example.net.        3600 IN A   192.0.2.2
 www3.example.net.        3600 IN A   192.0.2.3
 www4.example.net.        3600 IN A   192.0.2.4
 www5.example.net.        3600 IN A   192.0.2.5
+default.example.net.     3600 IN A   192.0.2.42
 weirdtxt.example.net.    3600 IN IN  TXT "x\014x"
 arthur.example.net.      3600 IN NS  ns.arthur.example.net.
 arthur.example.net.      3600 IN NS  ns2.arthur.example.net.
@@ -554,6 +555,11 @@ EOF
 cat > recursor-service3/config.lua <<EOF
 rpzFile("$(pwd)/recursor-service3/rpz.zone", {policyName="myRPZ"})
 rpzFile("$(pwd)/recursor-service3/rpz2.zone", {policyName="mySecondRPZ"})
+rpzFile("$(pwd)/recursor-service3/rpz3.zone", {policyName="cappedTTLRPZ", maxTTL=5})
+rpzFile("$(pwd)/recursor-service3/rpz4.zone", {policyName="defPolicyTTL", defpol=Policy.Custom, defcontent="default.example.net", defttl=10, maxTTL=20})
+rpzFile("$(pwd)/recursor-service3/rpz5.zone", {policyName="defPolicyCappedTTL", defpol=Policy.Custom, defcontent="default.example.net", defttl=50, maxTTL=20})
+rpzFile("$(pwd)/recursor-service3/rpz6.zone", {policyName="defPolicyWithoutTTL", defpol=Policy.Custom, defcontent="default.example.net"})
+rpzFile("$(pwd)/recursor-service3/rpz7.zone", {policyName="defPolicyWithoutTTLCapped", defpol=Policy.Custom, defcontent="default.example.net", maxTTL=50})
 EOF
 
 IFS=. read REV_PREFIX1 REV_PREFIX2 REV_PREFIX3 <<< $(echo $PREFIX) # This will bite us in the ass if we ever test on IPv6
@@ -590,6 +596,59 @@ www5.example.net       A     192.0.2.25          ; Override www5.example.net.
 
 EOF
 
+cat > recursor-service3/rpz3.zone <<EOF
+\$TTL 2h;
+\$ORIGIN domain.example.
+@ SOA $SOA
+@ NS ns.example.net.
+
+capped-ttl.example.net       50       IN      A     192.0.2.35          ; exceeds the maxTTL setting
+unsupported.example.net      50       IN      CNAME rpz-unsupported.    ; unsupported target
+unsupported2.example.net      50       IN      CNAME 32.3.2.0.192.rpz-unsupported.    ; also unsupported target
+not-rpz.example.net           50       IN      CNAME rpz-not.com.                     ; this one is not a special RPZ target
+
+EOF
+
+cat > recursor-service3/rpz4.zone <<EOF
+\$TTL 2h;
+\$ORIGIN domain.example.
+@ SOA $SOA
+@ NS ns.example.net.
+
+defpol-with-ttl.example.net       50       IN      A     192.0.2.35          ; will be overriden by the default policy and the default TTL
+
+EOF
+
+cat > recursor-service3/rpz5.zone <<EOF
+\$TTL 2h;
+\$ORIGIN domain.example.
+@ SOA $SOA
+@ NS ns.example.net.
+
+defpol-with-ttl-capped.example.net       100       IN      A     192.0.2.35          ; will be overriden by the default policy and the default TTL (but capped by maxTTL)
+
+EOF
+
+cat > recursor-service3/rpz6.zone <<EOF
+\$TTL 2h;
+\$ORIGIN domain.example.
+@ SOA $SOA
+@ NS ns.example.net.
+
+defpol-without-ttl.example.net       A     192.0.2.35          ; will be overriden by the default policy, but with the zone's TTL
+
+EOF
+
+cat > recursor-service3/rpz7.zone <<EOF
+\$TTL 2h;
+\$ORIGIN domain.example.
+@ SOA $SOA
+@ NS ns.example.net.
+
+defpol-without-ttl-capped.example.net       A     192.0.2.35          ; will be overriden by the default policy, but with the zone's TTL capped by maxTTL
+
+EOF
+
 cat > recursor-service3/script.lua <<EOF
 function prerpz(dq)
   if dq.qname:equal('www5.example.net') then