set -e
# Say on stdout whether to test DNSRPS
-# and create dnsrps.conf and dnsrps-secondary.conf
-# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf
-# and differ from dnsrpz.conf which is used by dnsrpzd.
+# and creates dnsrps.conf
+# Note that dnsrps.conf is included in named.conf
+# and differs from dnsrpz.conf which is used by dnsrpzd.
. ../conf.sh
AS_NS=
TEST_DNSRPS=
MCONF=dnsrps.conf
-SCONF=dnsrps-secondary.conf
-USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]"
+USAGE="$0: [-xAD] [-M dnsrps.conf]"
while getopts "xADM:S:" c; do
case $c in
x) set -x; DEBUG=-x;;
A) AS_NS=yes;;
D) TEST_DNSRPS=yes;;
M) MCONF="$OPTARG";;
- S) SCONF="$OPTARG";;
*) echo "$USAGE" 1>&2; exit 1;;
esac
done
# erase any existing conf files
cat /dev/null > $MCONF
-cat /dev/null > $SCONF
add_conf () {
echo "$*" >>$MCONF
- echo "$*" >>$SCONF
}
if ! $FEATURETEST --enable-dnsrps; then
exit 0
fi
-CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf
- dnsrpzd-sock ../dnsrpzd.sock
- dnsrpzd-rpzf ../dnsrpzd.rpzf
- dnsrpzd-args '-dddd -L stdout'
- log-level 3"
-
-PRIMARY="$CMN"
-if [ -n "$AS_NS" ]; then
- PRIMARY="$PRIMARY
- qname-as-ns yes
- ip-as-ns yes"
-fi
-
-# write dnsrps settings for primary resolver
-cat <<EOF >>$MCONF
-$PRIMARY };
-EOF
-
-# write dnsrps settings for resolvers that should not start dnsrpzd
-cat <<EOF >>$SCONF
-$CMN
- dnsrpzd '' }; # do not start dnsrpzd
-EOF
-
-
-# DNSRPS is available.
-# The test should fail if the license is bad.
-add_conf "dnsrps-enable yes;"
-
-# Use alt-dnsrpzd-license.conf if it exists
-CUR_L=dnsrpzd-license-cur.conf
-ALT_L=alt-dnsrpzd-license.conf
-# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist
-[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf
-if [ -s $ALT_L ]; then
- SRC_L=$ALT_L
- USE_ALT=
-else
- SRC_L=../rpz/dnsrpzd-license.conf
- USE_ALT="## consider installing alt-dnsrpzd-license.conf"
-fi
-cp $SRC_L $CUR_L
-
-# parse $CUR_L for the license zone name, primary IP addresses, and optional
-# transfer-source IP addresses
-eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\
- -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \
- -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \
- -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \
- -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \
- -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
- -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
- $CUR_L`
-if [ -z "$NAME" ]; then
- add_conf "## no DNSRPS tests; no license domain name in $SRC_L"
- add_conf '#fail'
- exit 0
-fi
-if [ -z "$IPV4" ]; then
- IPV4=license1.fastrpz.com
- TS4=
-fi
-if [ -z "$IPV6" ]; then
- IPV6=license1.fastrpz.com
- TS6=
-fi
-
-# This TSIG key is common and NOT a secret
-KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1'
-
-# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems
-if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \
- | grep -i "^$NAME.*TXT" >/dev/null`; then
- exit 0
-fi
-if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \
- | grep -i "^$NAME.*TXT" >/dev/null`; then
- exit 0
-fi
-
-add_conf "## DNSRPS lacks a valid license via $SRC_L"
-[ -z "$USE_ALT" ] || add_conf "$USE_ALT"
-add_conf '#fail'
+add_conf 'dnsrps-options { log-level 3 };'
+add_conf 'dnsrps-enable yes;'
+add_conf 'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";'
-alt-dnsrpzd-license.conf
dnsrps
rm -f ns8/manual-update-rpz.db
rm -f */policy2.db
rm -f */*.jnl
+rm -f dnsrps.cache dnsrps.conf
if [ ${PARTIAL:-unset} = unset ]; then
rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
rm -f ns*/named.lock
rm -f ns*/named.conf
rm -f ns*/*switch
- rm -f dnsrps*.conf
- rm -f dnsrpzd.conf
- rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid
+ rm -f dnsrps.zones
rm -f ns*/managed-keys.bind*
rm -f tmp
fi
/*
* -a exit(0) if dnsrps is available or dlopen() msg if not
- * -p print the path to dnsrpzd configured in dnsrps so that
- * dnsrpzd can be run by a setup.sh script.
- * Exit(1) if dnsrps is not available
* -n domain print the serial number of a domain to check if a new
- * version of a policy zone has been transferred to dnsrpzd.
+ * version of a policy zone is ready.
* Exit(1) if dnsrps is not available
* -w sec.ond wait for seconds, because `sleep 0.1` is not portable
*/
#ifdef USE_DNSRPS
#include <dns/librpz.h>
-
-librpz_t *librpz;
#else /* ifdef USE_DNSRPS */
typedef struct {
char c[120];
static bool
link_dnsrps(librpz_emsg_t *emsg);
-#define USAGE "usage: [-ap] [-n domain] [-w sec.onds]\n"
+#define USAGE "usage: [-a] [-n domain] [-w sec.onds]\n"
int
main(int argc, char **argv) {
char *p;
int i;
- while ((i = getopt(argc, argv, "apn:w:")) != -1) {
+ while ((i = getopt(argc, argv, "an:w:")) != -1) {
switch (i) {
case 'a':
if (!link_dnsrps(&emsg)) {
}
return (0);
- case 'p':
- if (!link_dnsrps(&emsg)) {
- fprintf(stderr, "## %s\n", emsg.c);
- return (1);
- }
-#ifdef USE_DNSRPS
- printf("%s\n", librpz->dnsrpzd_path);
-#else /* ifdef USE_DNSRPS */
- UNREACHABLE();
-#endif /* ifdef USE_DNSRPS */
- return (0);
-
case 'n':
if (!link_dnsrps(&emsg)) {
fprintf(stderr, "## %s\n", emsg.c);
}
#ifdef USE_DNSRPS
/*
- * Get the serial number of a policy zone from
- * a running dnsrpzd daemon.
+ * Get the serial number of a policy zone.
*/
clist = librpz->clist_create(&emsg, NULL, NULL, NULL,
NULL, NULL);
fprintf(stderr, "## %s: %s\n", optarg, emsg.c);
return (1);
}
- snprintf(cstr, sizeof(cstr),
- "zone %s; dnsrpzd \"\";"
- " dnsrpzd-sock dnsrpzd.sock;"
- " dnsrpzd-rpzf dnsrpzd.rpzf",
- optarg);
+ snprintf(cstr, sizeof(cstr), "zone %s;", optarg);
client = librpz->client_create(&emsg, clist, cstr,
true);
if (client == NULL) {
static bool
link_dnsrps(librpz_emsg_t *emsg) {
#ifdef USE_DNSRPS
- librpz = librpz_lib_open(emsg, NULL, DNSRPS_LIBRPZ_PATH);
+ librpz = librpz_lib_open(emsg, NULL, LIBRPZ_LIB_OPEN);
if (librpz == NULL) {
return (false);
}
pid-file ../dnsrpzd.pid
-include ../dnsrpzd-license-cur.conf
-
# configure NOTIFY and zone transfers
port @EXTRAPORT1@;
listen-on port @EXTRAPORT1@ { 10.53.0.3; };
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-zone isc.license.fastrpz.com {
- primaries port 53 {
- KEY farsight_fastrpz_license 104.244.14.176;
- KEY farsight_fastrpz_license 2620:11c:f008::176;
- };
-};
-
-key farsight_fastrpz_license {
- algorithm hmac-sha256; secret "f405d02b4c8af54855fcebc1";
-};
# turn rpz on or off
include "rpz-switch";
- include "../dnsrps-secondary.conf";
+ include "../dnsrps.conf";
};
key rndc_key {
nsip-enable yes
nsdname-enable yes;
- include "../dnsrps-secondary.conf";
+ include "../dnsrps.conf";
};
logging { category rpz { default_debug; }; };
file "empty.db";
also-notify { 10.53.0.3 port @EXTRAPORT1@; };
notify-delay 0;
- allow-transfer { any; };
+ allow-transfer { any; };
};
zone "bl.tld2s." {
nsdname-enable yes
min-update-interval 0;
- include "../dnsrps-secondary.conf";
+ include "../dnsrps.conf";
};
logging { category rpz { default_debug; }; };
file "policy2.db";
also-notify { 10.53.0.3 port @EXTRAPORT1@; };
notify-delay 0;
- allow-transfer { any; };
+ allow-transfer { any; };
request-ixfr no; // force axfr on rndc reload
};
recursion yes;
dnssec-validation yes;
dns64-server "example.localdomain.";
- dns64 64:ff9b::/96 { };
+ dns64 64:ff9b::/96 { };
response-policy {
zone "rpz";
}
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
-rpz. 28800 IN SOA rpz. hostmaster.rpz. 6 10800 3600 2419200 900
-rpz. 28800 IN NS .
-a-only.example.rpz. 28800 IN CNAME *.
-no-a-no-aaaa.example.rpz. 28800 IN CNAME *.
-a-plus-aaaa.example.rpz. 28800 IN CNAME *.
+$TTL 28800
+rpz. IN SOA rpz. hostmaster.rpz. 6 10800 3600 2419200 900
+rpz. IN NS .
+a-only.example CNAME *.
+no-a-no-aaaa.example CNAME *.
+a-plus-aaaa.example CNAME *.
copy_setports ns9/named.conf.in ns9/named.conf
copy_setports ns10/named.conf.in ns10/named.conf
-copy_setports dnsrpzd.conf.in dnsrpzd.conf
+copy_setports dnsrps.zones.in dnsrps.zones
# decide whether to test DNSRPS
-# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf
-# and differ from dnsrpz.conf which is used by dnsrpzd.
-$SHELL ../ckdnsrps.sh -A $TEST_DNSRPS $DEBUG
-test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS=
+# Note that dnsrps.conf is included in named.conf
+$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
+test -z "$(grep 'testing with DNSRPS' dnsrps.conf)" && TEST_DNSRPS=
+touch dnsrps.cache
# set up test policy zones.
# bl is the main test zone
cp ns5/empty.db.in ns5/empty.db
cp ns5/empty.db.in ns5/policy2.db
cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db
-
-# Run dnsrpzd to get the license and prime the static policy zones
-if test -n "$TEST_DNSRPS"; then
- DNSRPZD="$(../rpz/dnsrps -p)"
- cd ns3
- "$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \
- -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1
-fi
status=0
t=0
+export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache
DEBUG=
SAVE_RESULTS=
ARGS=
RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
if test -x $DNSRPSCMD; then
- # speed up the many delays for dnsrpzd by waiting only 0.1 seconds
WAIT_CMD="$DNSRPSCMD -w 0.1"
TEN_SECS=100
else
fi
}
-# check that dnsrpzd has loaded its zones
+# check that dnsrps provider has zones loaded
# $1=domain
# $2=DNS server IP address
-FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf`
+FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrps.zones`
dnsrps_loaded() {
test "$mode" = dnsrps || return
n=0
# (re)load the response policy zones with the rules in the file $TEST_FILE
load_db () {
if test -n "$TEST_FILE"; then
- copy_setports $TEST_FILE tmp
+ copy_setports $TEST_FILE tmp
+
+ for ZONE in bl0 bl1 bl2 bl3 bl4 bl5 bl6 bl7 bl8 bl9 bl10 bl11 bl12 bl13 bl14 bl15 bl16 bl17 bl18 bl19; do
+ produce_librpz_rules ns5 $ZONE bl
+ done
+
+ produce_librpz_rules ns2 bl.tld2 bl.tld2
+ cat tmp >> $DNSRPS_TEST_UPDATE_FILE
+
if $NSUPDATE -v tmp; then :
$RNDCCMD $ns3 sync
else
$RNDCCMD $ns3 sync
exit 1
fi
- rm -f tmp
+ rm -f tmp
fi
}
fi
rm -f ns$1/*.jnl
if [ "$2" = "rebuild-bl-rpz" ]; then
- if test -f ns$1/base.db; then
+ if test -f ns$1/base.db; then
for NM in ns$1/bl*.db; do
- cp -f ns$1/base.db $NM
- done
- fi
+ cp -f ns$1/base.db $NM
+ done
+ fi
fi
start_server --noclean --restart --port ${PORT} ns$1
load_db
}
resetstats () {
- NSDIR=$1
- eval "${NSDIR}_CNT=''"
+ NSDIR=$1
+ eval "${NSDIR}_CNT=''"
}
ckstats () {
eval "${NSDIR}_CNT=$NEW_CNT"
}
+add_librpz_rule() {
+ echo $1 >> $DNSRPS_TEST_UPDATE_FILE
+}
+
+produce_librpz_rules() {
+ # echo "Producing rules for $1"
+ ZONEFILE=$1/$3.db
+ cat $ZONEFILE | egrep -v '^;' | egrep '\<(A|CNAME)\>' | awk -v zone=$2 '{ if (NF == 4) {print "static add "$1"."zone" "$2" "$3" "$4} else if (NF == 3) {print "static add "$1"."zone" 300 "$2" "$3}}' >> $DNSRPS_TEST_UPDATE_FILE
+}
+
# $1=message
# $2=optional test file name
start_group () {
end_group () {
if test -n "$TEST_FILE"; then
# remove the previous set of test rules
- copy_setports $TEST_FILE tmp
+ copy_setports $TEST_FILE tmp
+ add_librpz_rule "rollback"
sed -e 's/[ ]add[ ]/ delete /' tmp | $NSUPDATE
- rm -f tmp
+ rm -f tmp
TEST_FILE=
fi
ckalive $ns3 "failed; ns3 server crashed and restarted"
retry_quiet 10 make_proto_nodata
start_group "QNAME rewrites" test1
+
nochange . # 1 do not crash or rewrite root
nxdomain a0-1.tld2 # 2
nodata a3-1.tld2 # 3
# updating an response zone policy
cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
rndc_reload ns2 $ns2 bl.tld2
+ add_librpz_rule "update zone bl.tld2 1 inc"
ck_soa 2 bl.tld2 $ns3
+ add_librpz_rule "wipe"
+ produce_librpz_rules ns2 bl.tld2 bl.tld2
nochange a7-1.tld2 # 19 PASSTHRU
# ensure that a clock tick has occurred so that named will do the reload
sleep 1
cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
rndc_reload ns2 $ns2 bl.tld2
+ add_librpz_rule "update zone bl.tld2 1 inc"
ck_soa 3 bl.tld2 $ns3
+ produce_librpz_rules ns2 bl.tld2 bl.tld2
nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450)
end_group
ckstats $ns3 test2 ns3 12
nxdomain a3-1.static-stub # 14
nochange_ns10 a3-1.stub-nomatch # 15
nochange_ns10 a3-1.static-stub-nomatch # 16
- if [ "$mode" = dnsrps ]; then
- addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns
- fi
nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" &&
setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
end_group
- if [ "$mode" = dnsrps ]; then
- ckstats $ns3 test3 ns3 10
- else
- ckstats $ns3 test3 ns3 9
- fi
+ ckstats $ns3 test3 ns3 9
# these tests assume "min-ns-dots 0"
start_group "NSIP rewrites" test4
nxdomain a4-1.static-stub # 6
nochange_ns10 a4-1.stub-nomatch # 7
nochange_ns10 a4-1.static-stub-nomatch # 8
- if [ "$mode" = dnsrps ]; then
- addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns
- fi
nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" &&
setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
end_group
a3-1.tld2. x IN TXT "NSIP walled garden"
EOF
end_group
- if [ "$mode" = dnsrps ]; then
- ckstats $ns3 test4 ns3 7
- else
- ckstats $ns3 test4 ns3 6
- fi
+ ckstats $ns3 test4 ns3 6
# policies in ./test5 overridden by response-policy{} in ns3/named.conf
# and in ns5/named.conf
ckstats $ns5 test5 ns5 4
# check that miscellaneous bugs are still absent
+ add_librpz_rule "wipe"
start_group "crashes" test6
for Q in RRSIG SIG ANY 'ANY +dnssec'; do
nocrash a3-1.tld2 -t$Q
echo_i "performance not checked; queryperf not available"
fi
- if [ "$mode" = dnsrps ]; then
- echo_i "checking that dnsrpzd is automatically restarted"
- OLD_PID=`cat dnsrpzd.pid`
- kill "$OLD_PID"
- n=0
- while true; do
- NEW_PID=`cat dnsrpzd.pid 2>/dev/null`
- if test -n "$NEW_PID" -a "0$OLD_PID" -ne "0$NEW_PID"; then
- #echo "OLD_PID=$OLD_PID NEW_PID=$NEW_PID"
- break;
- fi
- $DIG -p ${PORT} +short +norecurse a0-1.tld2 @$ns3 >/dev/null
- n=`expr $n + 1`
- if test "$n" -gt $TEN_SECS; then
- setret "dnsrpzd did not restart"
- break
- fi
- $WAIT_CMD
- done
- fi
-
# Ensure ns3 manages to transfer the fast-expire zone before shutdown.
nextpartreset ns3/named.run
wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run
# restart the main test RPZ server to see if that creates a core file
if test -z "$HAVE_CORE"; then
stop_server --use-rndc --port ${CONTROLPORT} ns3
+ add_librpz_rule "restart"
restart 3 "rebuild-bl-rpz"
HAVE_CORE=`find ns* -name '*core*' -print`
test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?"
if test -n "$EMSGS"; then
setret "error messages in $runfile starting with:"
grep -E 'invalid rpz|rpz.*failed' ns*/named.run | \
- sed -e '10,$d' -e 's/^//' | cat_i
+ sed -e '10,$d' -e 's/^//' | cat_i
fi
done
nsd $ns5 delete '*.example.com.policy1.' example.com.policy1.
done
+
t=`expr $t + 1`
echo_i "checking that going from an empty policy zone works (${t})"
nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
+ add_librpz_rule "update add *.x.servfail.policy2 300 CNAME ."
sleep 1
rndc_reload ns7 $ns7 policy2
$DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t}
fi
# RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 scenarios.
+ produce_librpz_rules ns9 rpz rpz
for label in a-only no-a-no-aaaa a-plus-aaaa
do
for type in AAAA A
logging {
channel rpz_passthru {
- file "rpz_passthru.txt" versions 3 size 5m;
- print-time yes;
- print-category yes;
- print-severity yes;
- severity info;
+ file "rpz_passthru.txt" versions 3 size 5m;
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity info;
};
channel rpz_log {
- file "rpz.txt" versions 3 size 20m;
- print-time yes;
- print-category yes;
- print-severity yes;
- severity info;
+ file "rpz.txt" versions 3 size 20m;
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity info;
};
category rpz { rpz_log; default_debug; };
/ns3/named2.conf
/ns4/named.conf
/ans5/ans.pid
-/dnsrps-secondary.conf
/dnsrps.conf
/dnsrpzd.conf
session.key
rm -f ns3/named.conf
rm -f ns3/named.run.prev
-rm -f dnsrps*.conf dnsrpzd*
+rm -f dnsrps.cache
+rm -f dnsrps*.conf
rm -f ns*/session.key
rm -f ns*/managed-keys.bind* ns*/*.mkeys*
querylog yes;
# let ns3 start dnsrpzd
- include "../dnsrps-secondary.conf";
+ include "../dnsrps.conf";
};
key rndc_key {
copy_setports ns4/named.conf.in ns4/named.conf
+# decide whether to test DNSRPS
+$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
+test -z "`grep 'dnsrps-enable yes' dnsrps.conf`" && TEST_DNSRPS=
+touch dnsrps.cache
+
# setup policy zones for a 64-zone test
i=1
while test $i -le 64
done
i=`expr $i + 1`
done
-
-# decide whether to test DNSRPS
-$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
-test -z "`grep 'dnsrps-enable yes' dnsrps.conf`" && TEST_DNSRPS=
-
-CWD=`pwd`
-cat <<EOF >dnsrpzd.conf
-PID-FILE $CWD/dnsrpzd.pid;
-
-include $CWD/dnsrpzd-license-cur.conf
-
-zone "policy" { type primary; file "`pwd`/ns3/policy.db"; };
-EOF
-sed -n -e 's/^ *//' -e "/zone.*.*primary/s@file \"@&$CWD/ns2/@p" ns2/*.conf \
- >>dnsrpzd.conf
-
-# Run dnsrpzd to get the license and prime the static policy zones
-if test -n "$TEST_DNSRPS"; then
- DNSRPZD="`../rpz/dnsrps -p`"
- "$DNSRPZD" -D./dnsrpzd.rpzf -S./dnsrpzd.sock -C./dnsrpzd.conf \
- -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1
-fi
t=0
+export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache
DEBUG=
ARGS=
run_server() {
TESTNAME=$1
+ start_server_rules $1 $2
echo_i "stopping resolver"
stop_server --use-rndc --port ${CONTROLPORT} ns2
sleep 3
}
+start_server_rules() {
+ FCONF=ns2/named.$1.conf
+
+ cat /dev/null > $DNSRPS_TEST_UPDATE_FILE
+ cat $FCONF | grep 'zone ' | grep ' primary' | while read LINE; do
+ ZONE=`echo $LINE | sed 's/.*zone "//g' | awk -F '"' '{print $1}'`;
+ DBFILE=`echo $LINE | sed 's/.*file "//g' | awk -F '"' '{print $1}'`;
+ cat ns2/$DBFILE | egrep -v '^;' | egrep '\<(A|CNAME)\>' | awk -v zone=$ZONE '{ if (NF == 4) {print "static add "$1"."zone" "$2" "$3" "$4} else if (NF == 3) {print "static add "$1"."zone" 300 "$2" "$3}}' >> $DNSRPS_TEST_UPDATE_FILE
+ done
+}
+
+produce_librpz_rules() {
+ ZONEFILE=$1/$3.db
+ cat $ZONEFILE | egrep -v '^;' | egrep '\<(A|CNAME)\>' | awk -v zone=$2 '{ if (NF == 4) {print "static add "$1"."zone" "$2" "$3" "$4} else if (NF == 3) {print "static add "$1"."zone" 300 "$2" "$3}}' >> $DNSRPS_TEST_UPDATE_FILE
+}
+
run_query() {
TESTNAME=$1
LINE=$2
LINE=$2
NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1`
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing $NAME doesn't recurse (${t})"
add_test_marker 10.53.0.2
run_query $TESTNAME $LINE || {
LINE=$2
NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1`
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing $NAME recurses (${t})"
add_test_marker 10.53.0.2
run_query $TESTNAME $LINE && {
# show whether and why DNSRPS is enabled or disabled
sed -n 's/^## //p' dnsrps.conf | cat_i
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing that l1.l0 exists without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t}
status=1
}
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t}
for n in $testlist; do
run_server 4$n
ni=$1
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
add_test_marker 10.53.0.2
c=0
run_query 4$n $i
c=`expr $c + $?`
done
- skipped=`expr 33 - $c`
+ skipped=$((33-c))
if [ $skipped != $ni ]; then
echo_i "test $t failed (actual=$skipped, expected=$ni)"
status=1
echo_i "check recursive behavior consistency during policy update races"
run_server 6a
sleep 1
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t}
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 `cat dnsrpzd.pid`
sleep 1
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} &
cp ns2/saved.policy.local ns2/db.6a.00.policy.local
run_server 6a
sleep 1
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t}
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 `cat dnsrpzd.pid`
sleep 1
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} &
}
# Check maximum number of RPZ zones (64)
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing maximum number of RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server max
echo_i "test $t failed: didn't get expected answer from policy zone $i"
status=1
}
- i=`expr $i + 1`
+ i=$((i+1))
done
# Check CLIENT-IP behavior
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing CLIENT-IP behavior (${t})"
add_test_marker 10.53.0.2
run_server clientip
}
# Check CLIENT-IP behavior #2
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing CLIENT-IP behavior #2 (${t})"
add_test_marker 10.53.0.2
run_server clientip2
}
# Check RPZ log clause
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing RPZ log clause (${t})"
add_test_marker 10.53.0.2
run_server log
# Check wildcard behavior
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
add_test_marker 10.53.0.2
run_server wildcard1
status=1
}
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server wildcard2
status=1
}
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
add_test_marker 10.53.0.2
run_server wildcard3
status=1
}
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing wildcard passthru before explicit drop (${t})"
add_test_marker 10.53.0.2
run_server wildcard4
if [ "$mode" = "native" ]; then
# Check for invalid prefix length error
- t=`expr $t + 1`
+ t=$((t+1))
echo_i "testing for invalid prefix length error (${t})"
add_test_marker 10.53.0.2
run_server invalidprefixlength
}
fi
- t=`expr $t + 1`
- echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
- add_test_marker 10.53.0.2 10.53.0.3
- echo_i "timing 'nsip-wait-recurse yes' (default)"
- ret=0
- t1=`$PERL -e 'print time()."\n";'`
- $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
- t2=`$PERL -e 'print time()."\n";'`
- p1=`expr $t2 - $t1`
- echo_i "elapsed time $p1 seconds"
-
- $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
- copy_setports ns3/named2.conf.in ns3/named.conf
- nextpart ns3/named.run > /dev/null
- $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
- wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
-
- echo_i "timing 'nsip-wait-recurse no'"
- t3=`$PERL -e 'print time()."\n";'`
- $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
- t4=`$PERL -e 'print time()."\n";'`
- p2=`expr $t4 - $t3`
- echo_i "elapsed time $p2 seconds"
-
- if test $p1 -le $p2; then ret=1; fi
- if test $ret != 0; then echo_i "failed"; fi
- status=`expr $status + $ret`
-
- $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
- # restore original named.conf
- copy_setports ns3/named1.conf.in ns3/named.conf
- nextpart ns3/named.run > /dev/null
- $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
- wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
-
- t=`expr $t + 1`
- echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
- add_test_marker 10.53.0.2 10.53.0.3
- echo_i "timing 'nsdname-wait-recurse yes' (default)"
- ret=0
- t1=`$PERL -e 'print time()."\n";'`
- $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
- t2=`$PERL -e 'print time()."\n";'`
- p1=`expr $t2 - $t1`
- echo_i "elapsed time $p1 seconds"
-
- $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
- copy_setports ns3/named3.conf.in ns3/named.conf
- nextpart ns3/named.run > /dev/null
- $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
- wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
-
- echo_i "timing 'nsdname-wait-recurse no'"
- t3=`$PERL -e 'print time()."\n";'`
- $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
- t4=`$PERL -e 'print time()."\n";'`
- p2=`expr $t4 - $t3`
- echo_i "elapsed time $p2 seconds"
-
- if test $p1 -le $p2; then ret=1; fi
- if test $ret != 0; then echo_i "failed"; fi
- status=`expr $status + $ret`
+ if [ "$mode" = "native" ]; then
+ t=$((t+1))
+ echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
+ add_test_marker 10.53.0.2 10.53.0.3
+ echo_i "timing 'nsip-wait-recurse yes' (default)"
+ produce_librpz_rules ns3 policy policy
+ ret=0
+ t1=`$PERL -e 'print time()."\n";'`
+ $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
+ t2=`$PERL -e 'print time()."\n";'`
+ p1=$((t2-t1))
+ echo_i "elapsed time $p1 seconds"
+
+ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
+ copy_setports ns3/named2.conf.in ns3/named.conf
+ nextpart ns3/named.run > /dev/null
+ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
+ wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
+
+ echo_i "timing 'nsip-wait-recurse no'"
+ echo "update zone policy 0 no_nsip_wait_recurse" > $DNSRPS_TEST_UPDATE_FILE
+ t3=`$PERL -e 'print time()."\n";'`
+ $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
+ t4=`$PERL -e 'print time()."\n";'`
+ p2=$((t4-t3))
+ echo_i "elapsed time $p2 seconds"
+
+ if test $p1 -le $p2; then ret=1; fi
+ if test $ret != 0; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
+ # restore original named.conf
+ copy_setports ns3/named1.conf.in ns3/named.conf
+ nextpart ns3/named.run > /dev/null
+ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
+ wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
+
+ t=$((t+1))
+ echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
+ add_test_marker 10.53.0.2 10.53.0.3
+ echo_i "timing 'nsdname-wait-recurse yes' (default)"
+ ret=0
+ t1=`$PERL -e 'print time()."\n";'`
+ $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
+ t2=`$PERL -e 'print time()."\n";'`
+ p1=$((t2-t1))
+ echo_i "elapsed time $p1 seconds"
+
+ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
+ copy_setports ns3/named3.conf.in ns3/named.conf
+ nextpart ns3/named.run > /dev/null
+ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
+ wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
+
+ echo_i "timing 'nsdname-wait-recurse no'"
+ t3=`$PERL -e 'print time()."\n";'`
+ $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
+ t4=`$PERL -e 'print time()."\n";'`
+ p2=$((t4-t3))
+ echo_i "elapsed time $p2 seconds"
+
+ if test $p1 -le $p2; then ret=1; fi
+ if test $ret != 0; then echo_i "failed"; fi
+ status=$((status+ret))
+ fi
[ $status -ne 0 ] && pf=fail || pf=pass