; generate SERVFAIL
servfail NS ns.tld2.
+
+a-only.example A 1.2.3.4
+no-a-no-aaaa.example TXT placeholder
+a-plus-aaaa.example A 1.2.3.4
+a-plus-aaaa.example AAAA ::1
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 120 NS ns.
+ns. 120 A 10.53.0.1
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * DNS64 / RPZ server.
+ */
+
+options {
+ query-source address 10.53.0.9;
+ notify-source 10.53.0.9;
+ transfer-source 10.53.0.9;
+ port @PORT@;
+ pid-file "named.pid";
+ statistics-file "named.stats";
+ session-keyfile "session.key";
+ listen-on { 10.53.0.9; };
+ listen-on-v6 { none; };
+ notify yes;
+ minimal-responses no;
+ recursion yes;
+ dnssec-validation yes;
+ dns64-server "example.localdomain.";
+ dns64 64:ff9b::/96 { };
+ response-policy {
+ zone "rpz";
+ }
+ qname-wait-recurse no ;
+
+ include "../dnsrps.conf";
+ notify-delay 0;
+};
+
+logging { category rpz { default_debug; }; };
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+controls {
+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "." { type hint; file "hints"; };
+
+zone "rpz." {
+ type master;
+ file "rpz.db";
+ notify no;
+};
--- /dev/null
+rpz. 28800 IN SOA rpz. hostmaster.rpz. 6 10800 3600 2419200 900
+rpz. 28800 IN NS .
+a-only.example.rpz. 28800 IN CNAME *.
+no-a-no-aaaa.example.rpz. 28800 IN CNAME *.
+a-plus-aaaa.example.rpz. 28800 IN CNAME *.
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
copy_setports dnsrpzd.conf.in dnsrpzd.conf
grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "failed"
fi
+ # RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 senarios.
+ for label in a-only no-a-no-aaaa a-plus-aaaa
+ do
+ for type in AAAA A
+ do
+ t=`expr $t + 1`
+ case $label in
+ a-only)
+ echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})"
+ ;;
+ no-a-no-aaaa)
+ echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})"
+ ;;
+ a-plus-aaaa)
+ echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})"
+ ;;
+ esac
+ ret=0
+ $DIG ${label}.example -p ${PORT} $type @10.53.0.9 > dig.out.${t}
+ grep "status: NOERROR" dig.out.$t > /dev/null || ret=1
+ grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t > /dev/null || ret=1
+ grep "^rpz" dig.out.$t > /dev/null || ret=1
+ [ $ret -eq 0 ] || echo_i "failed"
+ status=`expr $status + $ret`
+ done
+ done
+
[ $status -ne 0 ] && pf=fail || pf=pass
case $mode in
native)
projects / thirdparty / bind9.git / commitdiff
