daemon/proxyv2.test: deckard test for PROXYv2

diff --git a/ci/images/debian-11/Dockerfile b/ci/images/debian-11/Dockerfile
index 49deb5e8f297827100ee1592d37479c2c7a7d911..b755720a77da56cdf61a8d3760b1740f5681e978 100644 (file)
--- a/ci/images/debian-11/Dockerfile
+++ b/ci/images/debian-11/Dockerfile
@@ -101,6 +101,9 @@ RUN printf 'options {\n directory "/var/cache/bind";\n listen-on port 53533 { 12
 # PowerDNS Recursor for Deckard CI
 RUN apt-get install pdns-recursor -y -qqq
 
+# dnsdist for Deckard CI
+RUN apt-get install dnsdist -y -qqq
+
 # code coverage
 RUN apt-get install -y -qqq lcov
 RUN luarocks --lua-version 5.1 install luacov

diff --git a/daemon/meson.build b/daemon/meson.build
index ba94d95a31c7b1fd109c6aa207a4b9eb130ecabe..4d9ca578e20ecb2d478c38fb210a3c8f2195dc32 100644 (file)
--- a/daemon/meson.build
+++ b/daemon/meson.build
@@ -34,7 +34,8 @@ config_tests += [
 ]
 
 integr_tests += [
-  ['cache_insert_ns', meson.current_source_dir() / 'cache.test' / 'insert_ns.test.integr']
+  ['cache_insert_ns', meson.current_source_dir() / 'cache.test' / 'insert_ns.test.integr'],
+  ['proxyv2', meson.current_source_dir() / 'proxyv2.test']
 ]
 
 kresd_deps = [

diff --git a/daemon/proxyv2.test/deckard.yaml b/daemon/proxyv2.test/deckard.yaml
new file mode 100644 (file)
index 0000000..8eb2fa6
--- /dev/null
+++ b/daemon/proxyv2.test/deckard.yaml
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+programs:
+  - name: dnsdist
+    binary: dnsdist
+    additional:
+      - --verbose
+      - --supervised
+      - --config
+      - dnsdist.conf
+    ignore_exit_code: True
+    templates:
+      - daemon/proxyv2.test/dnsdist_config.j2
+    configs:
+      - dnsdist.conf
+  - name: kresd
+    binary: kresd
+    additional:
+      - --noninteractive
+    templates:
+      - daemon/proxyv2.test/kresd_config.j2
+      - tests/integration/hints_zone.j2
+    configs:
+      - config
+      - hints

diff --git a/daemon/proxyv2.test/dnsdist_config.j2 b/daemon/proxyv2.test/dnsdist_config.j2
new file mode 100644 (file)
index 0000000..0bd4a55
--- /dev/null
+++ b/daemon/proxyv2.test/dnsdist_config.j2
@@ -0,0 +1,11 @@
+-- vim:syntax=lua
+setLocal('{{SELF_ADDR}}')
+setVerboseHealthChecks(true)
+setServerPolicy(firstAvailable)
+
+local server = newServer({
+       address="{{PROGRAMS['kresd']['address']}}",
+       useProxyProtocol=true,
+       checkName="example.cz."
+})
+server:setUp()

diff --git a/daemon/proxyv2.test/kresd_config.j2 b/daemon/proxyv2.test/kresd_config.j2
new file mode 100644 (file)
index 0000000..e7cbf63
--- /dev/null
+++ b/daemon/proxyv2.test/kresd_config.j2
@@ -0,0 +1,63 @@
+-- SPDX-License-Identifier: GPL-3.0-or-later
+{% raw %}
+modules.load('view < policy')
+view:addr("127.127.0.0", policy.suffix(policy.DENY_MSG("addr 127.127.0.0 matched com"),{"\3com\0"}))
+-- policy.add(policy.all(policy.FORWARD('1.2.3.4')))
+
+-- make sure DNSSEC is turned off for tests
+trust_anchors.remove('.')
+
+-- Disable RFC5011 TA update
+if ta_update then
+        modules.unload('ta_update')
+end
+
+-- Disable RFC8145 signaling, scenario doesn't provide expected answers
+if ta_signal_query then
+        modules.unload('ta_signal_query')
+end
+
+-- Disable RFC8109 priming, scenario doesn't provide expected answers
+if priming then
+        modules.unload('priming')
+end
+
+-- Disable this module because it make one priming query
+if detect_time_skew then
+        modules.unload('detect_time_skew')
+end
+
+_hint_root_file('hints')
+cache.size = 2*MB
+log_level('debug')
+{% endraw %}
+
+-- Allow PROXYv2 from dnsdist's address
+--net.proxy_allowed("{{PROGRAMS['dnsdist']['address']}}")
+net.proxy_allowed("127.127.0.0/16")
+
+net = { '{{SELF_ADDR}}' }
+
+{% if QMIN == "false" %}
+option('NO_MINIMIZE', true)
+{% else %}
+option('NO_MINIMIZE', false)
+{% endif %}
+
+
+-- Self-checks on globals
+assert(help() ~= nil)
+assert(worker.id ~= nil)
+-- Self-checks on facilities
+assert(cache.count() == 0)
+assert(cache.stats() ~= nil)
+assert(cache.backends() ~= nil)
+assert(worker.stats() ~= nil)
+assert(net.interfaces() ~= nil)
+-- Self-checks on loaded stuff
+assert(net.list()[1].transport.ip == '{{SELF_ADDR}}')
+assert(#modules.list() > 0)
+-- Self-check timers
+ev = event.recurrent(1 * sec, function (ev) return 1 end)
+event.cancel(ev)
+ev = event.after(0, function (ev) return 1 end)

diff --git a/daemon/proxyv2.test/proxyv2_valid.rpl b/daemon/proxyv2.test/proxyv2_valid.rpl
new file mode 100644 (file)
index 0000000..ada8a37
--- /dev/null
+++ b/daemon/proxyv2.test/proxyv2_valid.rpl
@@ -0,0 +1,72 @@
+; SPDX-License-Identifier: GPL-3.0-or-later
+; config options
+       stub-addr: 1.2.3.4
+       query-minimization: off
+CONFIG_END
+
+SCENARIO_BEGIN proxyv2:valid test
+
+RANGE_BEGIN 0 110
+       ADDRESS 1.2.3.4
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+example.cz. IN A
+SECTION ANSWER
+example.cz. IN A 5.6.7.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+k.root-servers.net. IN AAAA
+SECTION ANSWER
+k.root-servers.net. IN AAAA ::1
+ENTRY_END
+
+RANGE_END
+
+; query with PROXYv2 header - not blocked
+STEP 10 QUERY
+ENTRY_BEGIN
+ADJUST raw_id
+REPLY RD
+SECTION QUESTION
+example.cz. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH flags rcode question answer
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+example.cz. IN A
+SECTION ANSWER
+example.cz. IN A 5.6.7.8
+ENTRY_END
+
+; query with PROXYv2 header - blocked by view:addr
+; NXDOMAIN expected
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.com. IN A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH opcode question rcode additional
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+example.com. IN A
+SECTION ADDITIONAL
+explanation.invalid. 10800 IN TXT "addr 127.127.0.0 matched com"
+ENTRY_END
+
+SCENARIO_END