+3627. [bug] RPZ changes were not effective on slaves. [RT #34450]
+
3625. [bug] Don't send notify messages to machines outside of the
test setup.
# Clean up after rpz tests.
rm -f proto.* dsset-* random.data trusted.conf dig.out* nsupdate.tmp ns*/*tmp
-rm -f ns*/*.key ns*/*.private ns2/tld2s.db
+rm -f ns*/*.key ns*/*.private ns2/tld2s.db ns2/bl.tld2.db
rm -f ns3/bl*.db ns*/*switch ns5/requests ns5/example.db ns5/bl.db ns5/*.perf
rm -f */named.memstats */named.run */named.stats */session.key
rm -f */*.jnl */*.core */*.pid
--- /dev/null
+; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+
+
+; master for slave RPZ zone
+
+$TTL 3600
+@ SOA rpz.tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+ NS ns2
+ NS ns3
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+
+32.1.7.168.192.rpz-ip CNAME .
--- /dev/null
+; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+
+
+; master for slave RPZ zone
+
+$TTL 3600
+@ SOA rpz.tld2. hostmaster.ns.tld2. ( 2 3600 1200 604800 60 )
+ NS ns2
+ NS ns3
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
--- /dev/null
+; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+
+
+; master for slave RPZ zone
+
+$TTL 3600
+@ SOA rpz.tld2. hostmaster.ns.tld2. ( 3 3600 1200 604800 60 )
+ NS ns2
+ NS ns3
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+
+32.1.7.168.192.rpz-ip CNAME .
notify no;
};
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+controls {
+ inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};
+
include "../trusted.conf";
zone "." { type hint; file "hints"; };
zone "subsub.sub3.tld2." {type master; file "tld2.db";};
zone "tld2s." {type master; file "tld2s.db";};
+
+zone "bl.tld2." {type master; file "bl.tld2.db"; notify yes; notify-delay 1;};
TXT "a6-1 tld2 text"
a6-2 A 192.168.6.2
TXT "a6-2 tld2 text"
+
+a7-1 A 192.168.7.1
+ TXT "a7-1 tld2 text"
zone "bl-cname" policy cname txt-only.tld2.;
zone "bl-wildcname" policy cname *.tld4.;
zone "bl-garden" policy cname a12.tld2.;
+ zone "bl.tld2";
} min-ns-dots 0;
};
zone "bl-garden." {type master; file "bl-garden.db";
allow-update {any;};};
+zone "bl.tld2." {type slave; file "bl.tld2.db"; masters {10.53.0.2;};
+ request-ixfr no; masterfile-format text;};
+
zone "crash1.tld2" {type master; file "crash1";};
zone "crash2.tld3." {type master; file "crash2";};
printf("host-%05d.example.tld5 A\n", $val);
$val = ($val * 9 + 32771) % 65536;
}' >ns5/requests
+
+cp ns2/bl.tld2.db.in ns2/bl.tld2.db
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s"
digcmd () {
- digcmd_args="+noadd +time=1 +tries=1 -p 5300 $*"
- expr "$digcmd_args" : '.*@' >/dev/null || \
- digcmd_args="$digcmd_args @$ns3"
- expr "$digcmd_args" : '.*+[no]*auth' >/dev/null || \
- digcmd_args="+noauth $digcmd_args"
+ # Default to +noauth and @$ns3
+ # Also default to -bX where X is the @value so that OS X will choose
+ # the right IP source address.
+ digcmd_args=`echo "+noadd +time=1 +tries=1 -p 5300 $*" | \
+ sed -e "/@/!s/.*/& @$ns3/" \
+ -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \
+ -e '/+n?o?auth/!s/.*/+noauth &/'`
#echo I:dig $digcmd_args 1>&2
$DIG $digcmd_args
}
# check that statistics for $1 in $2 = $3
ckstats () {
+ rm -f $2/named.stats
$RNDCCMD $1 stats
CNT=`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \
$2/named.stats`
nochange a5-4.tld2 +norecurse # 14 check that RD=1 is required
nochange a4-4.tld2 # 15 PASSTHRU
nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c
+ckstats $ns3 ns3 29
+nxdomain a7-1.tld2 # 17 slave policy zone (RT34450)
+cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
+$RNDCCMD 10.53.0.2 reload bl.tld2
+goodsoa="rpz.tld2. hostmaster.ns.tld2. 2 3600 1200 604800 60"
+for i in 0 1 2 3 4 5 6 7 8 9 10
+do
+ soa=`$DIG -p 5300 +short soa bl.tld2 @10.53.0.3 -b10.53.0.3`
+ test "$soa" = "$goodsoa" && break
+ sleep 1
+done
+nochange a7-1.tld2 # 18 PASSTHRU
+sleep 1 # ensure that a clock tick has occured so that the reload takes effect
+cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
+goodsoa="rpz.tld2. hostmaster.ns.tld2. 3 3600 1200 604800 60"
+$RNDCCMD 10.53.0.2 reload bl.tld2
+for i in 0 1 2 3 4 5 6 7 8 9 10
+do
+ soa=`$DIG -p 5300 +short soa bl.tld2 @10.53.0.3 -b10.53.0.3`
+ test "$soa" = "$goodsoa" && break
+ sleep 1
+done
+nxdomain a7-1.tld2 # 19 slave policy zone (RT34450)
+ckstats $ns3 ns3 31
end_group
# check that IP addresses for previous group were deleted from the radix tree
echo "I:performance not checked; queryperf not available"
fi
-
-ckstats $ns3 ns3 55
+ckstats $ns3 ns3 57
# restart the main test RPZ server to see if that creates a core file
if test -z "$HAVE_CORE"; then
* Set the response policy associated with a zone.
*/
+isc_result_t
+dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db);
+/*%
+ * If a zone is a response policy zone, mark its new database.
+ */
+
isc_boolean_t
dns_zone_get_rpz(dns_zone_t *zone);
static isc_result_t
axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) {
- return (dns_db_create(xfr->mctx, /* XXX */
- "rbt", /* XXX guess */
- &xfr->name,
- dns_dbtype_zone,
- xfr->rdclass,
- 0, NULL, /* XXX guess */
- dbp));
+ isc_result_t result;
+
+ result = dns_db_create(xfr->mctx, /* XXX */
+ "rbt", /* XXX guess */
+ &xfr->name,
+ dns_dbtype_zone,
+ xfr->rdclass,
+ 0, NULL, /* XXX guess */
+ dbp);
+ if (result == ISC_R_SUCCESS)
+ result = dns_zone_rpz_enable_db(xfr->zone, *dbp);
+ return (result);
}
static isc_result_t
return (zone->is_rpz);
}
+/*
+ * If a zone is a response policy zone, mark its new database.
+ */
+isc_result_t
+dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) {
+#ifdef BIND9
+ if (zone->is_rpz)
+ return (dns_db_rpz_enabled(db, NULL));
+#endif
+ return (ISC_R_SUCCESS);
+}
+
static isc_result_t
zone_load(dns_zone_t *zone, unsigned int flags) {
isc_result_t result;
isc_result_t tresult;
unsigned int options;
-#ifdef BIND9
- if (zone->is_rpz) {
- result = dns_db_rpz_enabled(db, NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
- }
-#endif
-
+ result = dns_zone_rpz_enable_db(zone, db);
+ if (result != ISC_R_SUCCESS)
+ return (result);
options = get_master_options(zone);
if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
options |= DNS_MASTER_MANYERRORS;
projects / thirdparty / bind9.git / commitdiff
