recursion no;
notify yes;
minimal-responses no;
+ update-quota 1;
};
acl named-acl {
check-integrity no;
check-mx warn;
update-policy local;
+ allow-query { !10.53.0.2; any; };
allow-query-on { 10.53.0.1; 127.0.0.1; };
allow-transfer { any; };
};
grep '1 ns.relaxed. alpn="h2"' dig.out.ns3.test$n || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if query is not allowed ($n)"
+{
+ $NSUPDATE -d <<END
+ local 10.53.0.2
+ server 10.53.0.1 ${PORT}
+ update add reject.other.nil 3600 IN TXT Whatever
+ send
+END
+} > nsupdate.out.test$n 2>&1
+grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if quota is exceeded ($n)"
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+ $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
+ update add txt-$loop.other.nil 3600 IN TXT Whatever
+ send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
if ! $FEATURETEST --gssapi ; then
echo_i "SKIPPED: GSSAPI tests"
else
rm -f ns*/named.lock
rm -f ns1/example2.db
rm -f ns*/managed-keys.bind*
+rm -f nsupdate.out.*
+rm -f ns*/named.run.prev
};
key rndc_key {
- secret "1234abcd8765";
- algorithm @DEFAULT_HMAC@;
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
};
controls {
- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
tls tls-example-primary {
zone "example" {
type secondary;
file "example.bk";
- allow-update-forwarding { any; };
+ allow-update-forwarding { 10.53.0.1; };
primaries { 10.53.0.1 tls ephemeral; };
};
zone "example2" {
type secondary;
file "example2.bk";
- allow-update-forwarding { any; };
+ allow-update-forwarding { 10.53.0.1; };
primaries { 10.53.0.1; };
};
zone "example3" {
type secondary;
file "example3.bk";
- allow-update-forwarding { any; };
+ allow-update-forwarding { 10.53.0.1; };
primaries {
10.53.0.1 tls tls-example-primary; // bad
10.53.0.1; // good
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ tls-port @TLSPORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on tls ephemeral { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ update-quota 1;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+ type secondary;
+ file "example.bk";
+ allow-update-forwarding { any; };
+ primaries { 10.53.0.1; };
+};
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
-copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
if $FEATURETEST --enable-dnstap
then
echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
ret=0
$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
+local 10.53.0.1
server 10.53.0.3 ${PORT}
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
echo_i "checking update forwarding of a zone (signed) (DoT -> DoT) ($n)"
ret=0
$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -S -O -- - <<EOF || ret=1
+local 10.53.0.1
server 10.53.0.3 ${TLSPORT}
update add updated-dot.example. 600 A 10.10.10.1
update add updated-dot.example. 600 TXT Foo
echo_i "updating zone (unsigned) ($n)"
ret=0
$NSUPDATE -- - <<EOF || ret=1
+local 10.53.0.1
server 10.53.0.3 ${PORT}
update add unsigned.example. 600 A 10.10.10.1
update add unsigned.example. 600 TXT Foo
echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
ret=0
$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
+local 10.53.0.1
server 10.53.0.3 ${PORT}
update add updated.example3. 600 A 10.10.10.1
update add updated.example3. 600 TXT Foo
do
(
$NSUPDATE -- - <<EOF
+local 10.53.0.1
server 10.53.0.3 ${PORT}
zone noprimary
update add unsigned.noprimary. 600 A 10.10.10.1
if test -f keyname
then
- echo_i "checking update forwarding to with sig0 (Do53 -> Do53) ($n)"
+ echo_i "checking update forwarding with sig0 (Do53 -> Do53) ($n)"
ret=0
keyname=`cat keyname`
$NSUPDATE -k $keyname.private -- - <<EOF
+ local 10.53.0.1
server 10.53.0.3 ${PORT}
zone example2
update add unsigned.example2. 600 A 10.10.10.1
n=`expr $n + 1`
fi
- echo_i "checking update forwarding to with sig0 (DoT -> Do53) ($n)"
+ echo_i "checking update forwarding with sig0 (DoT -> Do53) ($n)"
ret=0
keyname=`cat keyname`
$NSUPDATE -k $keyname.private -S -O -- - <<EOF
+ local 10.53.0.1
server 10.53.0.3 ${TLSPORT}
zone example2
update add unsigned-dot.example2. 600 A 10.10.10.1
fi
fi
+echo_i "attempting an update that should be rejected by ACL ($n)"
+ret=0
+{
+ $NSUPDATE -- - << EOF
+ local 10.53.0.2
+ server 10.53.0.3 ${PORT}
+ update add another.unsigned.example. 600 A 10.10.10.2
+ update add another.unsigned.example. 600 TXT Bar
+ send
+EOF
+} > nsupdate.out.$n 2>&1
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+n=$((n + 1))
+ret=0
+echo_i "attempting updates that should exceed quota ($n)"
+# lower the update quota to 1.
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+nextpart ns3/named.run > /dev/null
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+ $NSUPDATE -- - > /dev/null 2>&1 <<END
+ local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add txt-$loop.unsigned.example 300 IN TXT Whatever
+ send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
