From: Aram Sargsyan Date: Fri, 26 Aug 2022 14:18:28 +0000 (+0000) Subject: Add system tests for RPZ EDE codes X-Git-Tag: v9.19.5~21^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e4e303ffacc9f14ae86483128db8cfdb8fc3af1;p=thirdparty%2Fbind9.git Add system tests for RPZ EDE codes Check the new configuration option's syntax using the 'checkconf' system test. Check if the new option works by parsing DiG's output in the 'rpz' system test. --- diff --git a/bin/tests/system/checkconf/bad-rpz-ede.conf b/bin/tests/system/checkconf/bad-rpz-ede.conf new file mode 100644 index 00000000000..8d78f8df473 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rpz-ede.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type primary; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." ede unsupported; + }; +}; diff --git a/bin/tests/system/checkconf/good-rpz-ede-none.conf b/bin/tests/system/checkconf/good-rpz-ede-none.conf new file mode 100644 index 00000000000..c0ffab91e25 --- /dev/null +++ b/bin/tests/system/checkconf/good-rpz-ede-none.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type primary; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." ede none; + }; +}; diff --git a/bin/tests/system/checkconf/good-rpz-ede.conf b/bin/tests/system/checkconf/good-rpz-ede.conf new file mode 100644 index 00000000000..616f9ee63ef --- /dev/null +++ b/bin/tests/system/checkconf/good-rpz-ede.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type primary; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." ede filtered; + }; +}; diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in index aafe7f20f45..b0f6804bd29 100644 --- a/bin/tests/system/rpz/ns3/named.conf.in +++ b/bin/tests/system/rpz/ns3/named.conf.in @@ -48,7 +48,7 @@ options { zone "bl-drop" policy drop; zone "bl-tcp-only" policy tcp-only; zone "bl.tld2"; - zone "manual-update-rpz"; + zone "manual-update-rpz" ede forged; zone "mixed-case-rpz"; } add-soa yes diff --git a/bin/tests/system/rpz/ns7/named.conf.in b/bin/tests/system/rpz/ns7/named.conf.in index 7effd3db41f..40c385c32d1 100644 --- a/bin/tests/system/rpz/ns7/named.conf.in +++ b/bin/tests/system/rpz/ns7/named.conf.in @@ -26,7 +26,7 @@ options { dnssec-validation yes; response-policy { - zone "policy2" add-soa no; + zone "policy2" add-soa no ede none; } qname-wait-recurse no nsip-enable yes nsdname-enable yes diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 9975b686cfd..194527c1a83 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -848,6 +848,11 @@ EOF $PERL ../stop.pl --use-rndc --port ${CONTROLPORT} rpz ns3 restart 3 "rebuild-bl-rpz" + t=`expr $t + 1` + echo_i "checking the configured extended DNS error code (EDE) (${t})" + $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t + grep -F "EDE: 4 (Forged Answer)" dig.out.$t > /dev/null || setret "failed" + # reload a RPZ zone that is now deliberately broken. t=`expr $t + 1` echo_i "checking rpz failed update will keep previous rpz rules (${t})" @@ -860,6 +865,11 @@ EOF $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.after grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after > /dev/null || setret "failed" + t=`expr $t + 1` + echo_i "checking the default (unset) extended DNS error code (EDE) (${t})" + $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t + grep -F "EDE: " dig.out.$t > /dev/null && setret "failed" + t=`expr $t + 1` echo_i "checking reload of a mixed-case RPZ zone (${t})" # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should @@ -907,20 +917,25 @@ EOF grep NXDOMAIN dig.out.${t} > /dev/null || setret "failed" t=`expr $t + 1` - echo_i "checking that "add-soa no" at rpz zone level works (${t})" + echo_i "checking that 'ede none' works same way as when \"ede\" is unset (${t})" + $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} + grep -F "EDE: " dig.out.${t} > /dev/null && setret "failed" + + t=`expr $t + 1` + echo_i "checking that 'add-soa no' at rpz zone level works (${t})" $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} grep SOA dig.out.${t} > /dev/null && setret "failed" if [ native = "$mode" ]; then t=`expr $t + 1` - echo_i "checking that "add-soa yes" at response-policy level works (${t})" + echo_i "checking that 'add-soa yes' at response-policy level works (${t})" $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t} grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed" fi if [ native = "$mode" ]; then t=`expr $t + 1` - echo_i "checking that "add-soa unset" works (${t})" + echo_i "checking that 'add-soa unset' works (${t})" $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 > dig.out.${t} grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed" fi