From: Mark Andrews Date: Wed, 1 Dec 2021 13:56:27 +0000 (+1100) Subject: Check reject-000-label X-Git-Tag: v9.17.21~5^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41d14210de67de1ae9ee377c3e44322274ccf6a5;p=thirdparty%2Fbind9.git Check reject-000-label --- diff --git a/bin/tests/system/synthfromdnssec/ns8/named.conf.in b/bin/tests/system/synthfromdnssec/ns8/named.conf.in new file mode 100644 index 00000000000..382be43887d --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns8/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; + reject-000-label no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +statistics-channels { + inet 10.53.0.8 port @EXTRAPORT1@ allow { any; }; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns8/root.hints b/bin/tests/system/synthfromdnssec/ns8/root.hints new file mode 100644 index 00000000000..63fc22d0e1d --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns8/root.hints @@ -0,0 +1,11 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/setup.sh b/bin/tests/system/synthfromdnssec/setup.sh index 7768353e749..d42715de991 100644 --- a/bin/tests/system/synthfromdnssec/setup.sh +++ b/bin/tests/system/synthfromdnssec/setup.sh @@ -21,6 +21,7 @@ copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf ( cd ns1 diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh index 614a1145ccd..b21262593a8 100644 --- a/bin/tests/system/synthfromdnssec/tests.sh +++ b/bin/tests/system/synthfromdnssec/tests.sh @@ -19,6 +19,7 @@ set -e status=0 n=1 synth_default=yes +reject_default=yes rm -f dig.out.* @@ -98,7 +99,7 @@ check_auth_count() { return 0 } -for ns in 2 4 5 6 7 +for ns in 2 4 5 6 7 8 do case $ns in 2) ad=yes; description="";; @@ -106,6 +107,7 @@ do 5) ad=yes; description="yes";; 6) ad=no; description="yes; dnssec-validation no";; 7) ad=yes; description="yes; server 10.53.0.1 { broken-nsec yes; };";; + 8) ad=yes; description="yes; reject-000-label no;";; *) exit 1;; esac echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" @@ -331,14 +333,15 @@ status=$((status+ret)) # sleep 1 -for ns in 2 4 5 6 7 +for ns in 2 4 5 6 7 8 do case $ns in - 2) ad=yes synth=${synth_default} description="";; - 4) ad=yes synth=no description="no";; - 5) ad=yes synth=yes description="yes";; - 6) ad=no synth=no description="yes; dnssec-validation no";; - 7) ad=yes synth=no description="yes; server 10.53.0.1 { broken-nsec yes; };";; + 2) ad=yes synth=${synth_default} reject=${reject_default} description="";; + 4) ad=yes synth=no reject=${reject_default} description="no";; + 5) ad=yes synth=yes reject=${reject_default} description="yes";; + 6) ad=no synth=no reject=${reject_default} description="yes; dnssec-validation no";; + 7) ad=yes synth=no reject=${reject_default} description="yes; server 10.53.0.1 { broken-nsec yes; };";; + 8) ad=yes synth=yes reject=no description="yes; reject-000-label no;";; *) exit 1;; esac echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)" @@ -594,7 +597,7 @@ do dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] + if [ ${synth} = yes -a ${reject} = no ] then check_synth_soa minimal. dig.out.ns${ns}.test$n || ret=1 nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null && ret=1 @@ -676,7 +679,7 @@ do do case $synthesized in NXDOMAIN) count=1;; - no-data) count=5;; + no-data) if [ ${reject} = yes ]; then count=4; else count=5; fi;; wildcard) count=2;; esac echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)" @@ -737,7 +740,7 @@ do do case $synthesized in SynthNXDOMAIN) count=1;; - SynthNODATA) count=5;; + SynthNODATA) if [ $reject = yes ]; then count=4; else count=5; fi;; SynthWILDCARD) count=2;; esac @@ -800,7 +803,7 @@ do do case $synthesized in SynthNXDOMAIN) count=1;; - SynthNODATA) count=5;; + SynthNODATA) if [ $reject = yes ]; then count=4; else count=5; fi;; SynthWILDCARD) count=2;; esac