From: Evan Hunt <each@isc.org>
Date: Thu, 20 Nov 2025 00:35:31 +0000 (-0800)
Subject: add a test for allow-recursion/allow-query-cache inheritance
X-Git-Tag: v9.21.16~39^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9340fc152e75a592e645acfa7aa79b75d331fab;p=thirdparty%2Fbind9.git

add a test for allow-recursion/allow-query-cache inheritance

allow-recursion is set to "none" in the options block and to
"any" in the view.  allow-query-cache in the view should inherit
the "any", not the "none". (currently this test does not pass.)
---

diff --git a/bin/tests/system/allow-query/ns3/named5.conf.in b/bin/tests/system/allow-query/ns3/named5.conf.in
new file mode 100644
index 00000000000..81edf10e343
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named5.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; 10.53.1.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-recursion { none; };
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view internal {
+        match-destinations { 10.53.0.3; };
+        zone "." {
+                type hint;
+                file "../../_common/root.hint";
+        };
+
+        recursion yes;
+        allow-recursion { any; };
+};
diff --git a/bin/tests/system/allow-query/ns3/named6.conf.in b/bin/tests/system/allow-query/ns3/named6.conf.in
new file mode 100644
index 00000000000..94e796ba246
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named6.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query-cache { none; };
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view internal {
+        match-destinations { 10.53.0.3; };
+        zone "." {
+                type hint;
+                file "../../_common/root.hint";
+        };
+        recursion yes;
+	allow-recursion{ any; };
+};
diff --git a/bin/tests/system/allow-query/ns3/named7.conf.in b/bin/tests/system/allow-query/ns3/named7.conf.in
new file mode 100644
index 00000000000..28a05bf171c
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named7.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-recursion { none; };
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view internal {
+        match-destinations { 10.53.0.3; };
+        zone "." {
+                type hint;
+                file "../../_common/root.hint";
+        };
+        recursion yes;
+	allow-query{ any; };
+};
diff --git a/bin/tests/system/allow-query/ns3/named8.conf.in b/bin/tests/system/allow-query/ns3/named8.conf.in
new file mode 100644
index 00000000000..a248f55ac4a
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named8.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; 10.53.0.4; 10.53.1.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query-cache { none; };
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view internal {
+        zone "." {
+                type hint;
+                file "../../_common/root.hint";
+        };
+
+        recursion yes;
+        allow-query-cache { 10.53.0.3; 10.53.0.4; };
+	allow-query { 10.53.0.4; };
+};
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
index bfacf765088..f332ce15e1f 100644
--- a/bin/tests/system/allow-query/tests.sh
+++ b/bin/tests/system/allow-query/tests.sh
@@ -734,5 +734,76 @@ nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || r
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+# Test 63 - allow-query-cache inheritance from allow-recursion
+n=$((n + 1))
+copy_setports ns3/named5.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: inheritance of allow-query-cache from allow-recursion"
+ret=0
+# this should be allowed
+$DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.1.$n || ret=1
+grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
+# this should be prohibited
+$DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.2.$n || ret=1
+grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
+grep 'EDE: 20' dig.out.ns3.2.$n >/dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Test 64 - allow-query-cache no inheritance from allow-recursion as it is
+# defined in the options
+n=$((n + 1))
+copy_setports ns3/named6.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: allow-query-cache defined in options, so it does not inherit from allow-recursion"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 f.normal.example a >dig.out.ns3.1.$n || ret=1
+grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 20' dig.out.ns3.1.$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Test 65 - allow-query-cache inherits from allow-recursion before allow-query
+n=$((n + 1))
+copy_setports ns3/named7.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: allow-query-cache inherits from allow-recursion before allow-query"
+ret=0
+$DIG -p ${PORT} -b 10.53.0.3 @10.53.0.3 f.normal.example a >dig.out.ns3.1.$n || ret=1
+grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 20' dig.out.ns3.1.$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Test 66 - allow-recursion inheritance from allow-query
+n=$((n + 1))
+copy_setports ns3/named8.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: inheritance of allow-query-cache from allow-recursion"
+ret=0
+# this should be prohibited (10.53.1.2 does not have recursion allowed)
+$DIG -p ${PORT} -b 10.53.1.2 @10.53.1.2 f.normal.example a >dig.out.ns3.1.$n || ret=1
+grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.1.$n >/dev/null || ret=1
+grep 'EDE: 20' dig.out.ns3.1.$n >/dev/null || ret=1
+# this should be allowed
+$DIG -p ${PORT} -b 10.53.0.4 @10.53.0.4 f.normal.example a >dig.out.ns3.2.$n || ret=1
+grep 'ANSWER: 1' dig.out.ns3.2.$n >/dev/null || ret=1
+# this should be allowed
+$DIG -p ${PORT} -b 10.53.0.4 @10.53.0.4 e.normal.example a >dig.out.ns3.3.$n || ret=1
+grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1
+status=$((status + ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1