From: Aram Sargsyan <aram@isc.org>
Date: Mon, 26 Jan 2026 14:28:10 +0000 (+0000)
Subject: Add a new check in the RPZ system test
X-Git-Tag: v9.21.18~7^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d81a2457d6fe09a01d60d4204fb80c3e2feec88d;p=thirdparty%2Fbind9.git

Add a new check in the RPZ system test

Check that reloading a response policy zone which has an '$INCLUDE'
directive defined is working as expected.
---

diff --git a/bin/tests/system/rpz/ns2/tld2.db b/bin/tests/system/rpz/ns2/tld2.db
index c6f2556db59..a66ee16d14d 100644
--- a/bin/tests/system/rpz/ns2/tld2.db
+++ b/bin/tests/system/rpz/ns2/tld2.db
@@ -123,3 +123,6 @@ a7-1		A	192.168.7.1
 
 a7-2		A	192.168.7.2
 		TXT	"a7-2 tld2 text"
+
+a8-1		A	192.168.8.1
+		TXT	"a8-1 tld2 text"
diff --git a/bin/tests/system/rpz/ns3/include-rpz.db.in b/bin/tests/system/rpz/ns3/include-rpz.db.in
new file mode 100644
index 00000000000..5133b78964e
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/include-rpz.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+$INCLUDE include-rpz.inc
diff --git a/bin/tests/system/rpz/ns3/include-rpz.inc-1.in b/bin/tests/system/rpz/ns3/include-rpz.inc-1.in
new file mode 100644
index 00000000000..5d316a89b0a
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/include-rpz.inc-1.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	include-rpz.  hostmaster.ns.include-rpz. ( 1 3600 1200 604800 60 )
+	NS	ns.tld3.
diff --git a/bin/tests/system/rpz/ns3/include-rpz.inc-2.in b/bin/tests/system/rpz/ns3/include-rpz.inc-2.in
new file mode 100644
index 00000000000..4bce8532cc1
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/include-rpz.inc-2.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	include-rpz.  hostmaster.ns.include-rpz. ( 2 3600 1200 604800 60 )
+	NS	ns.tld3.
+
+a8-1.tld2	CNAME	.
diff --git a/bin/tests/system/rpz/ns3/named.conf.j2 b/bin/tests/system/rpz/ns3/named.conf.j2
index cd2a29b7545..2f8879b081e 100644
--- a/bin/tests/system/rpz/ns3/named.conf.j2
+++ b/bin/tests/system/rpz/ns3/named.conf.j2
@@ -53,6 +53,7 @@ options {
 	    zone "bl.tld2";
 	    zone "manual-update-rpz"	ede forged;
 	    zone "mixed-case-rpz";
+	    zone "include-rpz";
 	    zone "evil-cname"  policy cname a12.tld2. ede blocked;
 	    zone "wild-cname"  ede blocked;
 	    zone "slow-rpz";
@@ -129,6 +130,12 @@ zone "mixed-case-rpz." {
 	notify no;
 };
 
+zone "include-rpz." {
+	type primary;
+	file "include-rpz.db";
+	notify no;
+};
+
 zone "slow-rpz." {
     type primary;
     file "slow-rpz.db";
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index 56b2a5cda20..eee949dd076 100644
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -38,6 +38,9 @@ cp ns3/wild-cname.db.in ns3/wild-cname.db
 
 cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
 
+cp ns3/include-rpz.db.in ns3/include-rpz.db
+cp ns3/include-rpz.inc-1.in ns3/include-rpz.inc
+
 # a "big" zone (tested with '-T rpzslow' enabled to slow down loading)
 cp ns3/slow-rpz.db.in ns3/slow-rpz.db
 
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 578ed9daf96..2b3598d7af5 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -707,6 +707,16 @@ sleep 1
 $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after || setret "failed"
 grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed"
 
+t=$((t + 1))
+echo_i "checking rpz with included rules can reload (${t})"
+$DIG -p ${PORT} @$ns3 a8-1.tld2 >dig.out.$t.before || setret "failed"
+grep "status: NOERROR" dig.out.$t.before >/dev/null || setret "failed"
+cp ns3/include-rpz.inc-2.in ns3/include-rpz.inc
+rndc_reload ns3 $ns3 include-rpz
+sleep 1
+$DIG -p ${PORT} @$ns3 a8-1.tld2 >dig.out.$t.after || setret "failed"
+grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed"
+
 t=$((t + 1))
 echo_i "checking the default (unset) extended DNS error code (EDE) (${t})"
 $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t || setret "failed"
diff --git a/bin/tests/system/rpz/tests_sh_rpz.py b/bin/tests/system/rpz/tests_sh_rpz.py
index 5f6a88a21b1..348546f4c50 100644
--- a/bin/tests/system/rpz/tests_sh_rpz.py
+++ b/bin/tests/system/rpz/tests_sh_rpz.py
@@ -39,6 +39,8 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/bl.tld2.db",
         "ns3/evil-cname.db",
         "ns3/fast-expire.db",
+        "ns3/include-rpz.db",
+        "ns3/include-rpz.inc",
         "ns3/manual-update-rpz.db",
         "ns3/mixed-case-rpz.db",
         "ns3/named.conf.tmp",