check 'update-policy 6to4-self' over IPv4

author Mark Andrews <marka@isc.org>

Wed, 5 Jun 2024 05:22:17 +0000 (15:22 +1000)

committer Mark Andrews <marka@isc.org>

Thu, 1 Aug 2024 05:17:30 +0000 (15:17 +1000)
author Mark Andrews <marka@isc.org>
Wed, 5 Jun 2024 05:22:17 +0000 (15:22 +1000)
committer Mark Andrews <marka@isc.org>
Thu, 1 Aug 2024 05:17:30 +0000 (15:17 +1000)
diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh

index 99f3d4d612771dbdddef8dcefedd9a8947479386..de5f3c3be948ea43e9bd872a69bf729d2c350055 100644 (file)
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -54,6 +54,7 @@ rm -f ns3/many.test.bk
  rm -f ns3/nsec3param.test.db
  rm -f ns3/too-big.test.db
  rm -f ns5/local.db
+rm -f ns6/2.0.0.2.ip6.addr.db
  rm -f ns6/in-addr.db
  rm -f ns7/_default.tsigkeys
  rm -f ns7/example.com.db
diff --git a/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in b/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in

new file mode 100644 (file)

index 0000000..71609c3
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300       ; 5 minutes
+@              IN SOA  ns5.local.nil. hostmaster.local.nil. (
+                               1          ; serial
+                               2000       ; refresh (2000 seconds)
+                               2000       ; retry (2000 seconds)
+                               1814400    ; expire (3 weeks)
+                               3600       ; minimum (1 hour)
+                               )
+                       NS      ns6
+ns6                    A       10.53.0.6
diff --git a/bin/tests/system/nsupdate/ns6/named.conf.in b/bin/tests/system/nsupdate/ns6/named.conf.in

index c636cfc7542e86ec1a5295516cdd1b0f34008cad..5ed16235462a19cd18a344a88c933d2a8cc45c00 100644 (file)
--- a/bin/tests/system/nsupdate/ns6/named.conf.in
+++ b/bin/tests/system/nsupdate/ns6/named.conf.in
@@ -39,3 +39,9 @@ zone "in-addr.arpa" {
         file "in-addr.db";
         update-policy { grant * tcp-self . PTR(1) ANY(2) A; };
  };
+
+zone "2.0.0.2.ip6.arpa" {
+       type primary;
+       file "2.0.0.2.ip6.addr.db";
+       update-policy { grant * 6to4-self . NS(10) DS(4); };
+};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh

index fab75704bf52803f812145e8c77bb1517d4de5a7..6ea5a6602743a8b7297062b71b7c0d8f7c766753 100644 (file)
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -115,6 +115,7 @@ cp ns2/sample.db.in ns2/sample.db
  cp -f ns1/maxjournal.db.in ns1/maxjournal.db
  
  cp -f ns5/local.db.in ns5/local.db
+cp -f ns6/2.0.0.2.ip6.addr.db.in ns6/2.0.0.2.ip6.addr.db
  cp -f ns6/in-addr.db.in ns6/in-addr.db
  cp -f ns7/in-addr.db.in ns7/in-addr.db
  cp -f ns7/example.com.db.in ns7/example.com.db
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh

index 3d309d93f10e8dc19dd18b97441df6739ea1b2e4..6a1fb1b3cf078abda1d1671556c152b02eeddcf1 100755 (executable)
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -759,6 +759,48 @@ if test $ret -ne 0; then
    status=1
  fi
  
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv4 ($n)"
+REVERSE_NAME=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
+$NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1
+server 10.53.0.6 ${PORT}
+local 10.53.0.6
+zone 2.0.0.2.ip6.arpa
+update add ${REVERSE_NAME} 600 NS localhost.
+send
+END
+grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @10.53.0.6 \
+  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+  $REVERSE_NAME NS >dig.out.ns6.$n
+grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1
+if test $ret -ne 0; then
+  echo_i "failed"
+  status=1
+fi
+
+n=$((n + 1))
+echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv4 ($n)"
+ret=0
+REVERSE_NAME=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
+$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1
+server 10.53.0.6 ${PORT}
+local 10.53.0.6
+zone 2.0.0.2.ip6.arpa
+update add ${REVERSE_NAME} 600 NS localhost.
+send
+END
+grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1
+$DIG $DIGOPTS @10.53.0.6 \
+  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+  $REVERSE_NAME NS >dig.out.ns6.$n || ret=1
+grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1
+if test $ret -ne 0; then
+  echo_i "failed"
+  status=1
+fi
+
  n=$((n + 1))
  ret=0
  echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
author	Mark Andrews <marka@isc.org>
	Wed, 5 Jun 2024 05:22:17 +0000 (15:22 +1000)
committer	Mark Andrews <marka@isc.org>
	Thu, 1 Aug 2024 05:17:30 +0000 (15:17 +1000)
bin/tests/system/nsupdate/clean.sh		patch \| blob \| blame \| history
bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in	[new file with mode: 0644]	patch \| blob
bin/tests/system/nsupdate/ns6/named.conf.in		patch \| blob \| blame \| history
bin/tests/system/nsupdate/setup.sh		patch \| blob \| blame \| history
bin/tests/system/nsupdate/tests.sh		patch \| blob \| blame \| history