From: Aram Sargsyan <aram@isc.org>
Date: Mon, 23 Mar 2026 15:17:47 +0000 (+0000)
Subject: Test an empty APL record as catalog zone ACL
X-Git-Tag: v9.21.21~8^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b82966000eb4da912aacd390bf8040438e6071fe;p=thirdparty%2Fbind9.git

Test an empty APL record as catalog zone ACL

Test that named can process an empty APL record as a valid catalog
zone ACL.
---

diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh
index a5940238703..0e964d457f7 100644
--- a/bin/tests/system/catz/tests.sh
+++ b/bin/tests/system/catz/tests.sh
@@ -2659,6 +2659,102 @@ wait_for_soa @10.53.0.4 tls1.example. dig.out.test$n || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+##########################################################################
+# GL #5801
+
+nextpart ns4/named.run >/dev/null
+
+n=$((n + 1))
+echo_i "Add empty APL allow-query to catalog-misc zone using nsupdate ($n)"
+ret=0
+# Using "\# 0" form as a workaround for nsupdate not parsing zero length rdata
+$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add allow-query.ext.catalog-misc.example. 3600 IN APL \# 0
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns4/named.run "catz: catalog-misc.example: reload done: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "Adding a domain check-allow-query.example. to primary via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/check-allow-query.example.db
+echo "@ 3600 IN NS invalid." >>ns1/check-allow-query.example.db
+rndccmd 10.53.0.1 addzone check-allow-query.example. in default '{ type primary; file "check-allow-query.example.db"; allow-transfer { any; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.4; }; };' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that check-allow-query.example. is now served by primary ($n)"
+ret=0
+wait_for_soa @10.53.0.1 check-allow-query.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+nextpart ns4/named.run >/dev/null
+
+n=$((n + 1))
+echo_i "Adding domain check-allow-query.example. to catalog-misc zone ($n)"
+ret=0
+$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add check-allow-query.zones.catalog-misc.example. 3600 IN PTR check-allow-query.example.
+    update add primaries.ext.check-allow-query.zones.catalog-misc.example. 3600 IN A 10.53.0.1
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns4/named.run "catz: adding zone 'check-allow-query.example' from catalog 'catalog-misc.example'" \
+  && wait_for_message ns4/named.run "transfer of 'check-allow-query.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that check-allow-query.example. is not served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.4 check-allow-query.example. dig.out.test$n && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+nextpart ns4/named.run >/dev/null
+
+n=$((n + 1))
+echo_i "Deleting empty allow-query property from catalog-misc zone ($n)"
+ret=0
+$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete allow-query.ext.catalog-misc.example. 3600 IN APL
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns4/named.run "catz: catalog-misc.example: reload done: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that check-allow-query.example. is now served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.4 check-allow-query.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 ##########################################################################
 # GL #5658
 
diff --git a/bin/tests/system/catz/tests_sh_catz.py b/bin/tests/system/catz/tests_sh_catz.py
index 060e45fc0ff..4b68e2f65e5 100644
--- a/bin/tests/system/catz/tests_sh_catz.py
+++ b/bin/tests/system/catz/tests_sh_catz.py
@@ -21,6 +21,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns*/*.nzd*",
         "ns*/catalog*.example.db",
         "ns*/*dom*.example.db",
+        "ns1/check-allow-query.example.db",
         "ns1/longlong.longlong.long.long.name.example.db",
         "ns1/tls1.example.db",
         "ns2/__catz__*.db",