From b98a92071d0661421890f9f222f589ddeaeff9f2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 21 Feb 2018 14:42:10 +1100 Subject: [PATCH] perform rpz testing with a loop rather that recursion --- bin/tests/system/rpz/setup.sh | 6 +- bin/tests/system/rpz/tests.sh | 575 +++++++++++++++++----------------- 2 files changed, 295 insertions(+), 286 deletions(-) diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 2cadd168a14..ddf9ac808cc 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -21,6 +21,7 @@ while getopts "Dx" c; do case $c in x) set -x; DEBUG=-x;; D) TEST_DNSRPS="-D";; + N) NOCLEAN=set;; *) echo "$USAGE" 1>&2; exit 1;; esac done @@ -30,7 +31,7 @@ if test "$#" -ne 0; then exit 1 fi -$SHELL clean.sh $DEBUG +[ ${NOCLEAN:-unset} = unset ] && $SHELL clean.sh $DEBUG # decide whether to test DNSRPS # Note that dnsrps.conf and dnsrps-slave.conf are included in named.conf @@ -135,6 +136,9 @@ $PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) { cp ns2/bl.tld2.db.in ns2/bl.tld2.db cp ns5/empty.db.in ns5/empty.db cp ns5/empty.db.in ns5/policy2.db +rm -f ns2/bl.tld2.db.jnl +rm -f ns5/empty.db.jnl +rm -f cp ns5/policy2.db.jnl # Run dnsrpzd to get the license and prime the static policy zones if test -n "$TEST_DNSRPS"; then diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index f4da88eec30..512ecdbf2e9 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -61,39 +61,6 @@ comment () { DNSRPSCMD=./dnsrps RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s" -# Run the tests twice, first without DNSRPS and then with if it is available -if [ -z "$DNSRPS_TEST_MODE" ]; then - if [ -e dnsrps-only ]; then - echo "I:'dnsrps-only' found: skipping native RPZ sub-test" - else - echo "I:running native RPZ sub-test" - $SHELL ./$0 -Dnative $ARGS || status=1 - fi - - if [ -e dnsrps-off ]; then - echo "I:'dnsrps-off' found: skipping DNSRPS sub-test" - else - echo "I:attempting to configure servers with DNSRPS..." - $PERL $SYSTEMTESTTOP/stop.pl . - $SHELL ./setup.sh -D $DEBUG - sed -n 's/^## /I:/p' dnsrps.conf - if grep '^#fail' dnsrps.conf >/dev/null; then - echo "I:exit status: 1" - exit 1 - fi - if test -z "`grep '^#skip' dnsrps.conf`"; then - echo "I:running DNSRPS sub-test" - $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . - $SHELL ./$0 $ARGS -Ddnsrps || status=1 - else - echo "I:DNSRPS sub-test skipped" - fi - fi - - echo "I:exit status: $status" - exit $status -fi - if test -x $DNSRPSCMD; then # speed up the many delays for dnsrpzd by waiting only 0.1 seconds WAIT_CMD="$DNSRPSCMD -w 0.1" @@ -425,228 +392,271 @@ drop () { return 1 } +nsd() { + $NSUPDATE -p 5300 << EOF + server $1 + ttl 300 + update $2 $3 IN CNAME . + update $2 $4 IN CNAME . + send +EOF + sleep 2 +} # make prototype files to check against rewritten results digcmd nonexistent @$ns2 >proto.nxdomain digcmd txt-only.tld2 @$ns2 >proto.nodata -start_group "QNAME rewrites" test1 -nochange . # 1 do not crash or rewrite root -nxdomain a0-1.tld2 # 2 -nodata a3-1.tld2 # 3 -nodata a3-2.tld2 # 4 nodata at DNAME itself -nochange sub.a3-2.tld2 # 5 miss where DNAME might work -nxdomain a4-2.tld2 # 6 rewrite based on CNAME target -nxdomain a4-2-cname.tld2 # 7 -nodata a4-3-cname.tld2 # 8 -addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement -addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard -addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME -addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain -addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone -nochange a6-1.tld2 # 14 -addr 127.6.2.1 a6-2.tld2 # 15 -addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME -addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME -addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain -addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain -nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required -nochange a5-3.tld2 +norecurse # 21 -nochange a5-4.tld2 +norecurse # 22 -nochange sub.a5-4.tld2 +norecurse # 23 -nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c -nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures -nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures -nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures -nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain -nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain -nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record -nxdomain a0-1.tld2s srv +nodnssec # 31 -drop a3-8.tld2 any # 32 drop -nochange tcp a3-9.tld2 # 33 tcp-only -here x.servfail <<'EOF' # 34 qname-wait-recurse yes +case "$DNSRPS_TEST_MODE" in +''|native|dnsrps);; +*) + echo "bad test mode'${DNSRPS_TEST_MODE}' should be 'native' or 'dnsrps'" + exit 1 + ;; +esac + +for mode in ${DNSRPS_TEST_MODE:-native dnsrps} +do + status=0 + case ${mode} in + native) + if [ ${DNSRPS_TEST_MODE:-unset} = unset -a -e dnsrps-only ] ; then + echo "I:'dnsrps-only' found: skipping native RPZ sub-test" + continue + fi + ;; + dnsrps) + if [ ${DNSRPS_TEST_MODE:-unset} = unset -a -e dnsrps-off ] ; then + echo "I:'dnsrps-off' found: skipping DNSRPS sub-test" + continue + fi + if grep '^#skip' dnsrps.conf > /dev/null ; then + echo "I:DNSRPS sub-test skipped" + continue + fi + $PERL $SYSTEMTESTTOP/stop.pl . + $SHELL ./setup.sh -N -D $DEBUG + $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . + ;; + esac + sed -n 's/^## /I:/p' dnsrps.conf + + start_group "QNAME rewrites" test1 + nochange . # 1 do not crash or rewrite root + nxdomain a0-1.tld2 # 2 + nodata a3-1.tld2 # 3 + nodata a3-2.tld2 # 4 nodata at DNAME itself + nochange sub.a3-2.tld2 # 5 miss where DNAME might work + nxdomain a4-2.tld2 # 6 rewrite based on CNAME target + nxdomain a4-2-cname.tld2 # 7 + nodata a4-3-cname.tld2 # 8 + addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement + addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard + addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME + addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain + addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone + nochange a6-1.tld2 # 14 + addr 127.6.2.1 a6-2.tld2 # 15 + addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME + addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME + addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain + addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain + nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required + nochange a5-3.tld2 +norecurse # 21 + nochange a5-4.tld2 +norecurse # 22 + nochange sub.a5-4.tld2 +norecurse # 23 + nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c + nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures + nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures + nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures + nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain + nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain + nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record + nxdomain a0-1.tld2s srv +nodnssec # 31 + drop a3-8.tld2 any # 32 drop + nochange tcp a3-9.tld2 # 33 tcp-only + here x.servfail <<'EOF' # 34 qname-wait-recurse yes ;; status: SERVFAIL, x EOF -addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no -end_group -ckstats $ns3 test1 ns3 22 -ckstats $ns5 test1 ns5 1 -ckstats $ns6 test1 ns6 0 - -start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 -nxdomain a0-1.tld2 @$ns6 # 1 -nodata a3-1.tld2 @$ns6 # 2 -nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself -nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target -nxdomain a4-2-cname.tld2 @$ns6 # 5 -nodata a4-3-cname.tld2 @$ns6 # 6 -addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement -addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard -addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone -addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME -addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain -addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 -addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME -addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME -addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain -addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain -nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c -nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs -nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 -drop a3-8.tld2 any @$ns6 # 20 drop -end_group -ckstatsrange $ns3 test1 ns3 22 30 -ckstats $ns5 test1 ns5 0 -ckstats $ns6 test1 ns6 0 - -start_group "IP rewrites" test2 -nodata a3-1.tld2 # 1 NODATA -nochange a3-2.tld2 # 2 no policy record so no change -nochange a4-1.tld2 # 3 obsolete PASSTHRU record style -nxdomain a4-2.tld2 # 4 -nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite -nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite -nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite -nodata a4-3.tld2 # 8 -nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy -nochange a4-1-aaaa.tld2 -taaaa # 10 -addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address -addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone -nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 -addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP -nochange a4-4.tld2 # 15 PASSTHRU -nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c -addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger -nxdomain a7-1.tld2 # 18 slave policy zone (RT34450) -cp ns2/blv2.tld2.db.in ns2/bl.tld2.db -$RNDCCMD $ns2 reload bl.tld2 -ck_soa 2 bl.tld2 $ns3 -nochange a7-1.tld2 # 19 PASSTHRU -sleep 1 # ensure that a clock tick has occured so that named will do the reload -cp ns2/blv3.tld2.db.in ns2/bl.tld2.db -$RNDCCMD $ns2 reload bl.tld2 -ck_soa 3 bl.tld2 $ns3 -nxdomain a7-1.tld2 # 20 slave policy zone (RT34450) -end_group -ckstats $ns3 test2 ns3 12 - -# check that IP addresses for previous group were deleted from the radix tree -start_group "radix tree deletions" -nochange a3-1.tld2 -nochange a3-2.tld2 -nochange a4-1.tld2 -nochange a4-2.tld2 -nochange a4-2.tld2 -taaaa -nochange a4-2.tld2 -ttxt -nochange a4-2.tld2 -tany -nochange a4-3.tld2 -nochange a3-1.tld2 -tAAAA -nochange a4-1-aaaa.tld2 -tAAAA -nochange a5-1-2.tld2 -end_group -ckstats $ns3 'radix tree deletions' ns3 0 - -# these tests assume "min-ns-dots 0" -start_group "NSDNAME rewrites" test3 -nochange a3-1.tld2 # 1 -nochange a3-1.tld2 +dnssec # 2 this once caused problems -nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME -nxdomain a3-1.subsub.sub1.tld2 -nxdomain a3-1.subsub.sub1.tld2 -tany -addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 -nochange a3-2.tld2. # 7 exempt rewrite by name -nochange a0-1.tld2. # 8 exempt rewrite by address block -addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME -addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME -addr 127.0.0.2 a3-1.subsub.sub3.tld2 -nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash -if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then + addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no + end_group + ckstats $ns3 test1 ns3 22 + ckstats $ns5 test1 ns5 1 + ckstats $ns6 test1 ns6 0 + + start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 + nxdomain a0-1.tld2 @$ns6 # 1 + nodata a3-1.tld2 @$ns6 # 2 + nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself + nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target + nxdomain a4-2-cname.tld2 @$ns6 # 5 + nodata a4-3-cname.tld2 @$ns6 # 6 + addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement + addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard + addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone + addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME + addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain + addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 + addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME + addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME + addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain + addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain + nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c + nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs + nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 + drop a3-8.tld2 any @$ns6 # 20 drop + end_group + ckstatsrange $ns3 test1 ns3 22 30 + ckstats $ns5 test1 ns5 0 + ckstats $ns6 test1 ns6 0 + + start_group "IP rewrites" test2 + nodata a3-1.tld2 # 1 NODATA + nochange a3-2.tld2 # 2 no policy record so no change + nochange a4-1.tld2 # 3 obsolete PASSTHRU record style + nxdomain a4-2.tld2 # 4 + nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite + nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite + nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite + nodata a4-3.tld2 # 8 + nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy + nochange a4-1-aaaa.tld2 -taaaa # 10 + addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address + addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone + nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 + addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP + nochange a4-4.tld2 # 15 PASSTHRU + nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c + addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger + nxdomain a7-1.tld2 # 18 slave policy zone (RT34450) + cp ns2/blv2.tld2.db.in ns2/bl.tld2.db + $RNDCCMD $ns2 reload bl.tld2 + ck_soa 2 bl.tld2 $ns3 + nochange a7-1.tld2 # 19 PASSTHRU + sleep 1 # ensure that a clock tick has occured so that named will do the reload + cp ns2/blv3.tld2.db.in ns2/bl.tld2.db + $RNDCCMD $ns2 reload bl.tld2 + ck_soa 3 bl.tld2 $ns3 + nxdomain a7-1.tld2 # 20 slave policy zone (RT34450) + end_group + ckstats $ns3 test2 ns3 12 + + # check that IP addresses for previous group were deleted from the radix tree + start_group "radix tree deletions" + nochange a3-1.tld2 + nochange a3-2.tld2 + nochange a4-1.tld2 + nochange a4-2.tld2 + nochange a4-2.tld2 -taaaa + nochange a4-2.tld2 -ttxt + nochange a4-2.tld2 -tany + nochange a4-3.tld2 + nochange a3-1.tld2 -tAAAA + nochange a4-1-aaaa.tld2 -tAAAA + nochange a5-1-2.tld2 + end_group + ckstats $ns3 'radix tree deletions' ns3 0 + + # these tests assume "min-ns-dots 0" + start_group "NSDNAME rewrites" test3 + nochange a3-1.tld2 # 1 + nochange a3-1.tld2 +dnssec # 2 this once caused problems + nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME + nxdomain a3-1.subsub.sub1.tld2 + nxdomain a3-1.subsub.sub1.tld2 -tany + addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 + nochange a3-2.tld2. # 7 exempt rewrite by name + nochange a0-1.tld2. # 8 exempt rewrite by address block + addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME + addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME + addr 127.0.0.2 a3-1.subsub.sub3.tld2 + nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash + if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then addr 12.12.12.12 as-ns.tld5. # 13 qname-as-ns -fi -end_group -if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then + fi + end_group + if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then ckstats $ns3 test3 ns3 8 -else + else ckstats $ns3 test3 ns3 7 -fi - -# these tests assume "min-ns-dots 0" -start_group "NSIP rewrites" test4 -nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 -nochange a3-2.tld2. # 2 exempt rewrite by name -nochange a0-1.tld2. # 3 exempt rewrite by address block -nochange a3-1.tld4 # 4 different NS IP address -if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 5 ip-as-ns -fi -end_group - -start_group "walled garden NSIP rewrites" test4a -addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 -addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 -here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 + fi + + # these tests assume "min-ns-dots 0" + start_group "NSIP rewrites" test4 + nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 + nochange a3-2.tld2. # 2 exempt rewrite by name + nochange a0-1.tld2. # 3 exempt rewrite by address block + nochange a3-1.tld4 # 4 different NS IP address + if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then + addr 12.12.12.12 as-ns.tld5. # 5 ip-as-ns + fi + end_group + + start_group "walled garden NSIP rewrites" test4a + addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 + addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 + here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 ;; status: NOERROR, x a3-1.tld2. x IN TXT "NSIP walled garden" EOF -end_group -if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then + end_group + if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then ckstats $ns3 test4 ns3 5 -else + else ckstats $ns3 test4 ns3 4 -fi - -# policies in ./test5 overridden by response-policy{} in ns3/named.conf -# and in ns5/named.conf -start_group "policy overrides" test5 -addr 127.0.0.1 a3-1.tld2 # 1 bl-given -nochange a3-2.tld2 # 2 bl-passthru -nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru -nochange a3-4.tld2 # 4 bl-disabled -nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no -nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no -nodata a3-5.tld2 # 7 bl-nodata not needed -nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no -nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec -nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec -nxdomain a3-6.tld2 # 11 bl-nxdomain -here a3-7.tld2 -tany <<'EOF' + fi + + # policies in ./test5 overridden by response-policy{} in ns3/named.conf + # and in ns5/named.conf + start_group "policy overrides" test5 + addr 127.0.0.1 a3-1.tld2 # 1 bl-given + nochange a3-2.tld2 # 2 bl-passthru + nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru + nochange a3-4.tld2 # 4 bl-disabled + nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no + nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no + nodata a3-5.tld2 # 7 bl-nodata not needed + nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no + nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec + nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec + nxdomain a3-6.tld2 # 11 bl-nxdomain + here a3-7.tld2 -tany <<'EOF' ;; status: NOERROR, x a3-7.tld2. x IN CNAME txt-only.tld2. txt-only.tld2. x IN TXT "txt-only-tld2" EOF -addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname -addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname -addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 -addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 -addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 -drop a3-18.tld2 any # 18 bl-drop -nxdomain TCP a3-19.tld2 # 19 bl-tcp-only -end_group -ckstats $ns3 test5 ns3 12 -ckstats $ns5 test5 ns5 4 - - -# check that miscellaneous bugs are still absent -start_group "crashes" test6 -for Q in RRSIG SIG ANY 'ANY +dnssec'; do + addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname + addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname + addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 + addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 + addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 + drop a3-18.tld2 any # 18 bl-drop + nxdomain TCP a3-19.tld2 # 19 bl-tcp-only + end_group + ckstats $ns3 test5 ns3 12 + ckstats $ns5 test5 ns5 4 + + # check that miscellaneous bugs are still absent + start_group "crashes" test6 + for Q in RRSIG SIG ANY 'ANY +dnssec'; do nocrash a3-1.tld2 -t$Q nocrash a3-2.tld2 -t$Q nocrash a3-5.tld2 -t$Q nocrash www.redirect -t$Q nocrash www.credirect -t$Q -done + done -# This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip -# (or whatever) is available by publishing "foo A 10.2.3.4" and then -# resolving foo. -# nxdomain 32.3.2.1.127.rpz-ip -end_group -ckstats $ns3 bugs ns3 8 + # This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip + # (or whatever) is available by publishing "foo A 10.2.3.4" and then + # resolving foo. + # nxdomain 32.3.2.1.127.rpz-ip + end_group + ckstats $ns3 bugs ns3 8 -# superficial test for major performance bugs -QPERF=`sh qperf.sh` -if test -n "$QPERF"; then + # superficial test for major performance bugs + QPERF=`sh qperf.sh` + if test -n "$QPERF"; then perf () { date "+I:${TS}checking performance $1" # Dry run to prime everything @@ -691,11 +701,11 @@ if test -n "$QPERF"; then ckstats $ns5 performance ns5 200 -else + else echo "I:performance not checked; queryperf not available" -fi + fi -if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then + if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then echo "I:checking that dnsrpzd is automatically restarted" OLD_PID=`cat dnsrpzd.pid` $KILL "$OLD_PID" @@ -714,82 +724,77 @@ if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then fi $WAIT_CMD done -fi - + fi -# restart the main test RPZ server to see if that creates a core file -if test -z "$HAVE_CORE"; then + # restart the main test RPZ server to see if that creates a core file + if test -z "$HAVE_CORE"; then $PERL $SYSTEMTESTTOP/stop.pl . ns3 restart 3 HAVE_CORE=`find ns* -name '*core*' -print` test -z "$HAVE_CORE" || setret "I:found $HAVE_CORE; memory leak?" -fi + fi -# look for complaints from lib/dns/rpz.c and bin/name/query.c -EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run` -if test -n "$EMSGS"; then + # look for complaints from lib/dns/rpz.c and bin/name/query.c + EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run` + if test -n "$EMSGS"; then setret "I:error messages in $EMSGS starting with:" egrep 'invalid rpz|rpz.*failed' ns*/named.run | sed -e '10,$d' -e 's/^/I: /' -fi - -t=`expr $t + 1` -echo "I:checking that ttl values are not zeroed when qtype is '*' (${t})" -$DIG +noall +answer -p 5300 @$ns3 any a3-2.tld2 > dig.out.$t -ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.$t` -if test ${ttl:=0} -eq 0; then setret I:failed; fi + fi + t=`expr $t + 1` + echo "I:checking that ttl values are not zeroed when qtype is '*' (${t})" + $DIG +noall +answer -p 5300 @$ns3 any a3-2.tld2 > dig.out.$t + ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.$t` + if test ${ttl:=0} -eq 0; then setret I:failed; fi -t=`expr $t + 1` -echo "I:checking rpz updates/transfers with parent nodes added after children" \ + t=`expr $t + 1` + echo "I:checking rpz updates/transfers with parent nodes added after children" \ | tr -d '\n' -# regression test for RT #36272: the success condition -# is the slave server not crashing. -nsd() { - $NSUPDATE -p 5300 << EOF -server $1 -ttl 300 -update $2 $3 IN CNAME . -update $2 $4 IN CNAME . -send -EOF - sleep 2 -} -for i in 1 2 3 4 5; do + # regression test for RT #36272: the success condition + # is the slave server not crashing. + for i in 1 2 3 4 5; do nsd $ns5 add example.com.policy1. '*.example.com.policy1.' echo . | tr -d '\n' nsd $ns5 delete example.com.policy1. '*.example.com.policy1.' echo . | tr -d '\n' -done -for i in 1 2 3 4 5; do + done + for i in 1 2 3 4 5; do nsd $ns5 add '*.example.com.policy1.' example.com.policy1. echo . | tr -d '\n' nsd $ns5 delete '*.example.com.policy1.' example.com.policy1. echo . | tr -d '\n' -done -echo " (${t})" - - -t=`expr $t + 1` -echo "I:checking that going from an empty policy zone works (${t})" -nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. -sleep 1 -$RNDCCMD $ns7 reload policy2 -$DIG z.x.servfail -p 5300 @$ns7 > dig.out.${t} -grep NXDOMAIN dig.out.${t} > /dev/null || setret I:failed - -# dnsrps does not allow NS RRs in policy zones, so this check -# with dnsrps results in no rewriting. -if [ "$DNSRPS_TEST_MODE" = native ]; then + done + echo " (${t})" + + t=`expr $t + 1` + echo "I:checking that going from an empty policy zone works (${t})" + nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. + sleep 1 + $RNDCCMD $ns7 reload policy2 + $DIG z.x.servfail -p 5300 @$ns7 > dig.out.${t} + grep NXDOMAIN dig.out.${t} > /dev/null || setret I:failed + + # dnsrps does not allow NS RRs in policy zones, so this check + # with dnsrps results in no rewriting. + if [ "$DNSRPS_TEST_MODE" = native ]; then t=`expr $t + 1` echo "I:checking rpz with delegation fails correctly (${t})" $DIG -p 5300 @$ns3 ns example.com > dig.out.$t grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "I:failed" -fi + fi + + [ $status -ne 0 ] && pf=fail || pf=pass + case $DNSRPS_TEST_MODE in + native) + native=$status + echo "I:status (native RPZ sub-test): $status ($pf)";; + + dnsrps) + dnsrps=$status + echo "I:status (DNSRPS sub-test): $status ($pf)";; + *) echo "I:invalid test mode";; + esac +done +status=`expr ${native:-0} + ${dnsrps:-0}` -[ $status -ne 0 ] && pf=fail || pf=pass -case $DNSRPS_TEST_MODE in - native) echo "I:status (native RPZ sub-test): $status ($pf)";; - dnsrps) echo "I:status (DNSRPS sub-test): $status ($pf)";; - *) echo "I:invalid test mode";; -esac [ $status -eq 0 ] || exit 1 -- 2.47.3