t=0
export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache
-DEBUG=
SAVE_RESULTS=
ARGS=
+if grep 'dnsrps-enable yes;' dnsrps.conf >/dev/null; then
+ MODE=dnsrps
+else
+ MODE=native
+fi
-USAGE="$0: [-xS]"
-while getopts "xS:" c; do
+USAGE="$0: [-S]"
+while getopts "S:" c; do
case $c in
- x)
- set -x
- DEBUG=-x
- ARGS="$ARGS -x"
- ;;
S)
SAVE_RESULTS=-S
ARGS="$ARGS -S"
# $2=DNS server IP address
FZONES=$(sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrps.zones)
dnsrps_loaded() {
- test "$mode" = dnsrps || return 0
+ test "$MODE" = dnsrps || return 0
n=0
for V in $FZONES; do
eval "$V"
ck_soa() {
n=0
while true; do
- if test "$mode" = dnsrps; then
+ if test "$MODE" = dnsrps; then
get_sn_fast "$2"
test "$RSN" -eq "$1" && return
else
return 0
}
-resetstats() {
- NSDIR=$1
- eval "${NSDIR}_CNT=''"
-}
-
ckstats() {
HOST=$1
LABEL="$2"
# ensure that the fast-expire zone is populated before we begin testing
$RNDCCMD $ns3 retransfer fast-expire
-native=0
-dnsrps=0
-for mode in native dnsrps; do
- status=0
- case ${mode} in
- native)
- if [ -e dnsrps-only ]; then
- echo_i "'dnsrps-only' found: skipping native RPZ sub-test"
- continue
- else
- echo_i "running native RPZ sub-test"
- fi
- ;;
- dnsrps)
- if [ -e dnsrps-off ]; then
- echo_i "'dnsrps-off' found: skipping DNSRPS sub-test"
- continue
- fi
- echo_i "attempting to configure servers with DNSRPS..."
- stop_server --use-rndc --port ${CONTROLPORT}
- $SHELL ./setup.sh -N -D $DEBUG
- for server in ns*; do
- resetstats $server
- done
- sed -n 's/^## //p' dnsrps.conf | cat_i
- if grep '^#fail' dnsrps.conf >/dev/null; then
- echo_i "exit status: 1"
- exit 1
- fi
- if grep '^#skip' dnsrps.conf >/dev/null; then
- echo_i "DNSRPS sub-test skipped"
- continue
- else
- echo_i "running DNSRPS sub-test"
- start_server --noclean --restart --port ${PORT}
- sleep 3
- fi
- ;;
- esac
-
- # make prototype files to check against rewritten results
- retry_quiet 10 make_proto_nxdomain
- retry_quiet 10 make_proto_nodata
-
- start_group "QNAME rewrites" test1
-
- nochange . # 1 do not crash or rewrite root
- nxdomain a0-1.tld2 # 2
- nodata a3-1.tld2 # 3
- nodata a3-2.tld2 # 4 nodata at DNAME itself
- nochange sub.a3-2.tld2 # 5 miss where DNAME might work
- nxdomain a4-2.tld2 # 6 rewrite based on CNAME target
- nxdomain a4-2-cname.tld2 # 7
- nodata a4-3-cname.tld2 # 8
- addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement
- addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard
- addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME
- addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain
- addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone
- nochange a6-1.tld2 # 14
- addr 127.6.2.1 a6-2.tld2 # 15
- addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME
- addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME
- addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain
- addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain
- nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required
- nochange a5-3.tld2 +norecurse # 21
- nochange a5-4.tld2 +norecurse # 22
- nochange sub.a5-4.tld2 +norecurse # 23
- nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c
- nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures
- nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures
- nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures
- nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain
- nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain
- nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record
- nxdomain a0-1.tld2s srv +nodnssec # 31
- drop a3-8.tld2 any # 32 drop
- nochange TCP a3-9.tld2 # 33 tcp-only
- here x.servfail <<'EOF' # 34 qname-wait-recurse yes
+# make prototype files to check against rewritten results
+retry_quiet 10 make_proto_nxdomain
+retry_quiet 10 make_proto_nodata
+
+start_group "QNAME rewrites" test1
+
+nochange . # 1 do not crash or rewrite root
+nxdomain a0-1.tld2 # 2
+nodata a3-1.tld2 # 3
+nodata a3-2.tld2 # 4 nodata at DNAME itself
+nochange sub.a3-2.tld2 # 5 miss where DNAME might work
+nxdomain a4-2.tld2 # 6 rewrite based on CNAME target
+nxdomain a4-2-cname.tld2 # 7
+nodata a4-3-cname.tld2 # 8
+addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement
+addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard
+addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME
+addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain
+addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone
+nochange a6-1.tld2 # 14
+addr 127.6.2.1 a6-2.tld2 # 15
+addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME
+addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME
+addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain
+addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain
+nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required
+nochange a5-3.tld2 +norecurse # 21
+nochange a5-4.tld2 +norecurse # 22
+nochange sub.a5-4.tld2 +norecurse # 23
+nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c
+nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures
+nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures
+nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures
+nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain
+nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain
+nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record
+nxdomain a0-1.tld2s srv +nodnssec # 31
+drop a3-8.tld2 any # 32 drop
+nochange TCP a3-9.tld2 # 33 tcp-only
+here x.servfail <<'EOF' # 34 qname-wait-recurse yes
;; status: SERVFAIL, x
EOF
- addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no
- end_group
- ckstats $ns3 test1 ns3 22
- ckstats $ns5 test1 ns5 1
- ckstats $ns6 test1 ns6 0
-
- start_group "NXDOMAIN/NODATA action on QNAME trigger" test1
- nxdomain a0-1.tld2 @$ns6 # 1
- nodata a3-1.tld2 @$ns6 # 2
- nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself
- nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target
- nxdomain a4-2-cname.tld2 @$ns6 # 5
- nodata a4-3-cname.tld2 @$ns6 # 6
- addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement
- addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard
- addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone
- addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME
- addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain
- addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12
- addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME
- addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME
- addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain
- addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain
- nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c
- nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs
- nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19
- drop a3-8.tld2 any @$ns6 # 20 drop
- end_group
- ckstatsrange $ns3 test1 ns3 22 30
- ckstats $ns5 test1 ns5 0
- ckstats $ns6 test1 ns6 0
-
- start_group "IP rewrites" test2
- nodata a3-1.tld2 # 1 NODATA
- nochange a3-2.tld2 # 2 no policy record so no change
- nochange a4-1.tld2 # 3 obsolete PASSTHRU record style
- nxdomain a4-2.tld2 # 4
- nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite
- nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite
- nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite
- nodata a4-3.tld2 # 8
- nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy
- nochange a4-1-aaaa.tld2 -taaaa # 10
- addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address
- addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone
- nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14
- addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP
- nochange a4-4.tld2 # 15 PASSTHRU
- nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c
- addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger
- nxdomain a7-1.tld2 # 18 secondary policy zone (RT34450)
- # updating an response zone policy
- cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
- rndc_reload ns2 $ns2 bl.tld2
- add_librpz_rule "update zone bl.tld2 1 inc"
- ck_soa 2 bl.tld2 $ns3
- add_librpz_rule "wipe"
- produce_librpz_rules ns2 bl.tld2 bl.tld2
- nochange a7-1.tld2 # 19 PASSTHRU
- # ensure that a clock tick has occurred so that named will do the reload
- sleep 1
- cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
- rndc_reload ns2 $ns2 bl.tld2
- add_librpz_rule "update zone bl.tld2 1 inc"
- ck_soa 3 bl.tld2 $ns3
- produce_librpz_rules ns2 bl.tld2 bl.tld2
- nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450)
- end_group
- ckstats $ns3 test2 ns3 12
-
- # check that IP addresses for previous group were deleted from the radix tree
- start_group "radix tree deletions"
- nochange a3-1.tld2
- nochange a3-2.tld2
- nochange a4-1.tld2
- nochange a4-2.tld2
- nochange a4-2.tld2 -taaaa
- nochange a4-2.tld2 -ttxt
- nochange a4-2.tld2 -tany
- nochange a4-3.tld2
- nochange a3-1.tld2 -tAAAA
- nochange a4-1-aaaa.tld2 -tAAAA
- nochange a5-1-2.tld2
- end_group
- ckstats $ns3 'radix tree deletions' ns3 0
-
- # these tests assume "min-ns-dots 0"
- start_group "NSDNAME rewrites" test3
- nextpart ns3/named.run >/dev/null
- nochange a3-1.tld2 # 1
- nochange a3-1.tld2 +dnssec # 2 this once caused problems
- nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME
- nxdomain a3-1.subsub.sub1.tld2 # 4
- nxdomain a3-1.subsub.sub1.tld2 -tany # 5
- addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2
- nochange a3-2.tld2. # 7 exempt rewrite by name
- nochange a0-1.tld2. # 8 exempt rewrite by address block
- addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME
- addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME
- addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11
- nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash
-
- nxdomain a3-1.stub # 13
- nxdomain a3-1.static-stub # 14
- nochange_ns10 a3-1.stub-nomatch # 15
- nochange_ns10 a3-1.static-stub-nomatch # 16
- nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \
- && setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
- end_group
- ckstats $ns3 test3 ns3 9
-
- # these tests assume "min-ns-dots 0"
- start_group "NSIP rewrites" test4
- nextpart ns3/named.run >/dev/null
- nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2
- nochange a3-2.tld2. # 2 exempt rewrite by name
- nochange a0-1.tld2. # 3 exempt rewrite by address block
- nochange a3-1.tld4 # 4 different NS IP address
- nxdomain a4-1.stub # 5
- nxdomain a4-1.static-stub # 6
- nochange_ns10 a4-1.stub-nomatch # 7
- nochange_ns10 a4-1.static-stub-nomatch # 8
- nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \
- && setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
- end_group
-
- start_group "walled garden NSIP rewrites" test4a
- addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2
- addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2
- here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2
+addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no
+end_group
+ckstats $ns3 test1 ns3 22
+ckstats $ns5 test1 ns5 1
+ckstats $ns6 test1 ns6 0
+
+start_group "NXDOMAIN/NODATA action on QNAME trigger" test1
+nxdomain a0-1.tld2 @$ns6 # 1
+nodata a3-1.tld2 @$ns6 # 2
+nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself
+nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target
+nxdomain a4-2-cname.tld2 @$ns6 # 5
+nodata a4-3-cname.tld2 @$ns6 # 6
+addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement
+addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard
+addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone
+addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME
+addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain
+addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12
+addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME
+addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME
+addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain
+addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain
+nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c
+nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs
+nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19
+drop a3-8.tld2 any @$ns6 # 20 drop
+end_group
+ckstatsrange $ns3 test1 ns3 22 30
+ckstats $ns5 test1 ns5 0
+ckstats $ns6 test1 ns6 0
+
+start_group "IP rewrites" test2
+nodata a3-1.tld2 # 1 NODATA
+nochange a3-2.tld2 # 2 no policy record so no change
+nochange a4-1.tld2 # 3 obsolete PASSTHRU record style
+nxdomain a4-2.tld2 # 4
+nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite
+nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite
+nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite
+nodata a4-3.tld2 # 8
+nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy
+nochange a4-1-aaaa.tld2 -taaaa # 10
+addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address
+addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone
+nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14
+addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP
+nochange a4-4.tld2 # 15 PASSTHRU
+nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c
+addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger
+nxdomain a7-1.tld2 # 18 secondary policy zone (RT34450)
+# updating an response zone policy
+cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
+rndc_reload ns2 $ns2 bl.tld2
+add_librpz_rule "update zone bl.tld2 1 inc"
+ck_soa 2 bl.tld2 $ns3
+add_librpz_rule "wipe"
+produce_librpz_rules ns2 bl.tld2 bl.tld2
+nochange a7-1.tld2 # 19 PASSTHRU
+# ensure that a clock tick has occurred so that named will do the reload
+sleep 1
+cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
+rndc_reload ns2 $ns2 bl.tld2
+add_librpz_rule "update zone bl.tld2 1 inc"
+ck_soa 3 bl.tld2 $ns3
+produce_librpz_rules ns2 bl.tld2 bl.tld2
+nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450)
+end_group
+ckstats $ns3 test2 ns3 12
+
+# check that IP addresses for previous group were deleted from the radix tree
+start_group "radix tree deletions"
+nochange a3-1.tld2
+nochange a3-2.tld2
+nochange a4-1.tld2
+nochange a4-2.tld2
+nochange a4-2.tld2 -taaaa
+nochange a4-2.tld2 -ttxt
+nochange a4-2.tld2 -tany
+nochange a4-3.tld2
+nochange a3-1.tld2 -tAAAA
+nochange a4-1-aaaa.tld2 -tAAAA
+nochange a5-1-2.tld2
+end_group
+ckstats $ns3 'radix tree deletions' ns3 0
+
+# these tests assume "min-ns-dots 0"
+start_group "NSDNAME rewrites" test3
+nextpart ns3/named.run >/dev/null
+nochange a3-1.tld2 # 1
+nochange a3-1.tld2 +dnssec # 2 this once caused problems
+nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME
+nxdomain a3-1.subsub.sub1.tld2 # 4
+nxdomain a3-1.subsub.sub1.tld2 -tany # 5
+addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2
+nochange a3-2.tld2. # 7 exempt rewrite by name
+nochange a0-1.tld2. # 8 exempt rewrite by address block
+addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME
+addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME
+addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11
+nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash
+
+nxdomain a3-1.stub # 13
+nxdomain a3-1.static-stub # 14
+nochange_ns10 a3-1.stub-nomatch # 15
+nochange_ns10 a3-1.static-stub-nomatch # 16
+nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \
+ && setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
+end_group
+ckstats $ns3 test3 ns3 9
+
+# these tests assume "min-ns-dots 0"
+start_group "NSIP rewrites" test4
+nextpart ns3/named.run >/dev/null
+nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2
+nochange a3-2.tld2. # 2 exempt rewrite by name
+nochange a0-1.tld2. # 3 exempt rewrite by address block
+nochange a3-1.tld4 # 4 different NS IP address
+nxdomain a4-1.stub # 5
+nxdomain a4-1.static-stub # 6
+nochange_ns10 a4-1.stub-nomatch # 7
+nochange_ns10 a4-1.static-stub-nomatch # 8
+nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \
+ && setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
+end_group
+
+start_group "walled garden NSIP rewrites" test4a
+addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2
+addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2
+here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2
;; status: NOERROR, x
a3-1.tld2. x IN TXT "NSIP walled garden"
EOF
- end_group
- ckstats $ns3 test4 ns3 6
-
- # policies in ./test5 overridden by response-policy{} in ns3/named.conf
- # and in ns5/named.conf
- start_group "policy overrides" test5
- addr 127.0.0.1 a3-1.tld2 # 1 bl-given
- nochange a3-2.tld2 # 2 bl-passthru
- nochange a3-3.tld2 # 3 bl-no-op (obsolete for passthru)
- nochange a3-4.tld2 # 4 bl-disabled
- nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no
- nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no
- nodata a3-5.tld2 # 7 bl-nodata not needed
- nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no
- nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec
- nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec
- nxdomain a3-6.tld2 # 11 bl-nxdomain
- here a3-7.tld2 -tany <<'EOF' # 12
+end_group
+ckstats $ns3 test4 ns3 6
+
+# policies in ./test5 overridden by response-policy{} in ns3/named.conf
+# and in ns5/named.conf
+start_group "policy overrides" test5
+addr 127.0.0.1 a3-1.tld2 # 1 bl-given
+nochange a3-2.tld2 # 2 bl-passthru
+nochange a3-3.tld2 # 3 bl-no-op (obsolete for passthru)
+nochange a3-4.tld2 # 4 bl-disabled
+nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no
+nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no
+nodata a3-5.tld2 # 7 bl-nodata not needed
+nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no
+nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec
+nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec
+nxdomain a3-6.tld2 # 11 bl-nxdomain
+here a3-7.tld2 -tany <<'EOF' # 12
;; status: NOERROR, x
a3-7.tld2. x IN CNAME txt-only.tld2.
txt-only.tld2. x IN TXT "txt-only-tld2"
EOF
- addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname
- addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname
- addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2
- addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100
- addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90
- drop a3-18.tld2 any # 18 bl-drop
- nxdomain TCP a3-19.tld2 # 19 bl-tcp-only
- end_group
- ckstats $ns3 test5 ns3 12
- ckstats $ns5 test5 ns5 4
-
- # check that miscellaneous bugs are still absent
- add_librpz_rule "wipe"
- start_group "crashes" test6
- for Q in RRSIG SIG ANY 'ANY +dnssec'; do
- nocrash a3-1.tld2 -t$Q
- nocrash a3-2.tld2 -t$Q
- nocrash a3-5.tld2 -t$Q
- nocrash www.redirect -t$Q
- nocrash www.credirect -t$Q
- done
-
- # This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
- # (or whatever) is available by publishing "foo A 10.2.3.4" and then
- # resolving foo.
- # nxdomain 32.3.2.1.127.rpz-ip
- end_group
- ckstats $ns3 bugs ns3 8
-
- # superficial test for major performance bugs
- QPERF=$(sh qperf.sh)
- if test -n "$QPERF"; then
- perf() {
- date "+${TS}checking performance $1" | cat_i
- # Dry run to prime everything
- comment "before dry run $1"
- $RNDCCMD $ns5 notrace
- $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >/dev/null
- comment "before real test $1"
- PFILE="ns5/$2.perf"
- $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >$PFILE
- comment "after test $1"
- X=$(sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \
- | tr '\n' ' ')
- if test "$X" != "$3"; then
- setret "wrong results '$X' in $PFILE"
- fi
- ckalive $ns5 "failed; server #5 crashed"
- }
- trim() {
- sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf
- }
-
- # get qps with rpz
- perf 'with RPZ' rpz 'NOERROR:2900 NXDOMAIN:100 '
- RPZ=$(trim rpz)
- # turn off rpz and measure qps again
- echo "# RPZ off" >ns5/rpz-switch
- RNDCCMD_OUT=$($RNDCCMD $ns5 reload)
- perf 'without RPZ' norpz 'NOERROR:3000 '
- NORPZ=$(trim norpz)
-
- PERCENT=$(((RPZ * 100 + (NORPZ / 2)) / NORPZ))
- echo_i "$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ"
-
- MIN_PERCENT=30
- if test "$PERCENT" -lt $MIN_PERCENT; then
- echo_i "$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps"
- fi
+addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname
+addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname
+addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2
+addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100
+addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90
+drop a3-18.tld2 any # 18 bl-drop
+nxdomain TCP a3-19.tld2 # 19 bl-tcp-only
+end_group
+ckstats $ns3 test5 ns3 12
+ckstats $ns5 test5 ns5 4
+
+# check that miscellaneous bugs are still absent
+add_librpz_rule "wipe"
+start_group "crashes" test6
+for Q in RRSIG SIG ANY 'ANY +dnssec'; do
+ nocrash a3-1.tld2 -t$Q
+ nocrash a3-2.tld2 -t$Q
+ nocrash a3-5.tld2 -t$Q
+ nocrash www.redirect -t$Q
+ nocrash www.credirect -t$Q
+done
- if test "$PERCENT" -ge 100; then
- echo_i "$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high"
+# This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
+# (or whatever) is available by publishing "foo A 10.2.3.4" and then
+# resolving foo.
+# nxdomain 32.3.2.1.127.rpz-ip
+end_group
+ckstats $ns3 bugs ns3 8
+
+# superficial test for major performance bugs
+QPERF=$(sh qperf.sh)
+if test -n "$QPERF"; then
+ perf() {
+ date "+${TS}checking performance $1" | cat_i
+ # Dry run to prime everything
+ comment "before dry run $1"
+ $RNDCCMD $ns5 notrace
+ $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >/dev/null
+ comment "before real test $1"
+ PFILE="ns5/$2.perf"
+ $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >$PFILE
+ comment "after test $1"
+ X=$(sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \
+ | tr '\n' ' ')
+ if test "$X" != "$3"; then
+ setret "wrong results '$X' in $PFILE"
fi
-
- ckstats $ns5 performance ns5 200
-
- else
- echo_i "performance not checked; queryperf not available"
+ ckalive $ns5 "failed; server #5 crashed"
+ }
+ trim() {
+ sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf
+ }
+
+ # get qps with rpz
+ perf 'with RPZ' rpz 'NOERROR:2900 NXDOMAIN:100 '
+ RPZ=$(trim rpz)
+ # turn off rpz and measure qps again
+ echo "# RPZ off" >ns5/rpz-switch
+ RNDCCMD_OUT=$($RNDCCMD $ns5 reload)
+ perf 'without RPZ' norpz 'NOERROR:3000 '
+ NORPZ=$(trim norpz)
+
+ PERCENT=$(((RPZ * 100 + (NORPZ / 2)) / NORPZ))
+ echo_i "$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ"
+
+ MIN_PERCENT=30
+ if test "$PERCENT" -lt $MIN_PERCENT; then
+ echo_i "$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps"
fi
- # Ensure ns3 manages to transfer the fast-expire zone before shutdown.
- nextpartreset ns3/named.run
- wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run
-
- # reconfigure the ns5 primary server without the fast-expire zone, so
- # it can't be refreshed on ns3, and will expire in 5 seconds.
- cat /dev/null >ns5/expire.conf
- rndc_reconfig ns5 10.53.0.5
-
- # restart the main test RPZ server to see if that creates a core file
- if test -z "$HAVE_CORE"; then
- stop_server --use-rndc --port ${CONTROLPORT} ns3
- add_librpz_rule "restart"
- restart 3 "rebuild-bl-rpz"
- HAVE_CORE=$(find ns* -name '*core*' -print)
- test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?"
+ if test "$PERCENT" -ge 100; then
+ echo_i "$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high"
fi
- # look for complaints from lib/dns/rpz.c and bin/name/query.c
- for runfile in ns*/named.run; do
- EMSGS=$(nextpart $runfile | grep -E -l 'invalid rpz|rpz.*failed' || true)
- if test -n "$EMSGS"; then
- setret "error messages in $runfile starting with:"
- grep -E 'invalid rpz|rpz.*failed' ns*/named.run \
- | sed -e '10,$d' -e 's/^//' | cat_i
- fi
- done
-
- if [ native = "$mode" ]; then
- # restart the main test RPZ server with a bad zone.
- t=$((t + 1))
- echo_i "checking that ns3 with broken rpz does not crash (${t})"
- stop_server --use-rndc --port ${CONTROLPORT} ns3
- cp ns3/broken.db.in ns3/bl.db
- restart 3 # do not rebuild rpz zones
- nocrash a3-1.tld2 -tA
- stop_server --use-rndc --port ${CONTROLPORT} ns3
- restart 3 "rebuild-bl-rpz"
-
- t=$((t + 1))
- echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})"
- sed -e "s/^#BAD//" <ns3/named.conf.in >ns3/named.conf.tmp
- copy_setports ns3/named.conf.tmp ns3/named.conf
- rm ns3/named.conf.tmp
- $RNDCCMD $ns3 reconfig >/dev/null 2>&1 && setret "failed"
- sleep 1
- copy_setports ns3/named.conf.in ns3/named.conf
- $RNDCCMD $ns3 reconfig || setret "failed"
+ ckstats $ns5 performance ns5 200
- t=$((t + 1))
- echo_i "checking the configured extended DNS error code (EDE) (${t})"
- $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t || setret "failed"
- grep -F "EDE: 4 (Forged Answer)" dig.out.$t >/dev/null || setret "failed"
-
- # reload a RPZ zone that is now deliberately broken.
- t=$((t + 1))
- echo_i "checking rpz failed update will keep previous rpz rules (${t})"
- $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.before || setret "failed"
- grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.before >/dev/null || setret "failed"
- cp ns3/broken.db.in ns3/manual-update-rpz.db
- rndc_reload ns3 $ns3 manual-update-rpz
- sleep 1
- # ensure previous RPZ rules still apply.
- $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after || setret "failed"
- grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed"
+else
+ echo_i "performance not checked; queryperf not available"
+fi
- t=$((t + 1))
- echo_i "checking the default (unset) extended DNS error code (EDE) (${t})"
- $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t || setret "failed"
- grep -F "EDE: " dig.out.$t >/dev/null && setret "failed"
+# Ensure ns3 manages to transfer the fast-expire zone before shutdown.
+nextpartreset ns3/named.run
+wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run
+
+# reconfigure the ns5 primary server without the fast-expire zone, so
+# it can't be refreshed on ns3, and will expire in 5 seconds.
+cat /dev/null >ns5/expire.conf
+rndc_reconfig ns5 10.53.0.5
+
+# restart the main test RPZ server to see if that creates a core file
+if test -z "$HAVE_CORE"; then
+ stop_server --use-rndc --port ${CONTROLPORT} ns3
+ add_librpz_rule "restart"
+ restart 3 "rebuild-bl-rpz"
+ HAVE_CORE=$(find ns* -name '*core*' -print)
+ test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?"
+fi
- t=$((t + 1))
- echo_i "checking reload of a mixed-case RPZ zone (${t})"
- # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should
- # cause a6-2.tld2 NOERROR answers to be rewritten to NXDOMAIN answers.
- $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.before || setret "failed"
- grep "status: NXDOMAIN" dig.out.$t.before >/dev/null || setret "failed"
- # Add a sibling name (a6-1.tld2.mixed-case-rpz, with "tld2" in lowercase
- # rather than uppercase) before A6-2.TLD.mixed-case-rpz.
- nextpart ns3/named.run >/dev/null
- cp ns3/mixed-case-rpz-2.db.in ns3/mixed-case-rpz.db
- rndc_reload ns3 $ns3 mixed-case-rpz
- wait_for_log 20 "rpz: mixed-case-rpz: reload done" ns3/named.run
- # a6-2.tld2 NOERROR answers should still be rewritten to NXDOMAIN answers.
- # (The bug we try to trigger here caused a6-2.tld2.mixed-case-rpz to be
- # erroneously removed from the summary RPZ database after reload.)
- $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.after || setret "failed"
- grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed"
+# look for complaints from lib/dns/rpz.c and bin/name/query.c
+for runfile in ns*/named.run; do
+ EMSGS=$(nextpart $runfile | grep -E -l 'invalid rpz|rpz.*failed' || true)
+ if test -n "$EMSGS"; then
+ setret "error messages in $runfile starting with:"
+ grep -E 'invalid rpz|rpz.*failed' ns*/named.run \
+ | sed -e '10,$d' -e 's/^//' | cat_i
fi
+done
+if [ native = "$MODE" ]; then
+ # restart the main test RPZ server with a bad zone.
t=$((t + 1))
- echo_i "checking that ttl values are not zeroed when qtype is '*' (${t})"
- $DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 >dig.out.$t || setret "failed"
- ttl=$(awk '/a3-2 tld2 text/ {print $2}' dig.out.$t)
- if test ${ttl:=0} -eq 0; then setret "failed"; fi
+ echo_i "checking that ns3 with broken rpz does not crash (${t})"
+ stop_server --use-rndc --port ${CONTROLPORT} ns3
+ cp ns3/broken.db.in ns3/bl.db
+ restart 3 # do not rebuild rpz zones
+ nocrash a3-1.tld2 -tA
+ stop_server --use-rndc --port ${CONTROLPORT} ns3
+ restart 3 "rebuild-bl-rpz"
t=$((t + 1))
- echo_i "checking rpz updates/transfers with parent nodes added after children (${t})"
- # regression test for RT #36272: the success condition
- # is the secondary server not crashing.
- for i in 1 2 3 4 5; do
- nsd $ns5 add example.com.policy1. '*.example.com.policy1.'
- nsd $ns5 delete example.com.policy1. '*.example.com.policy1.'
- done
- for i in 1 2 3 4 5; do
- nsd $ns5 add '*.example.com.policy1.' example.com.policy1.
- nsd $ns5 delete '*.example.com.policy1.' example.com.policy1.
- done
+ echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})"
+ sed -e "s/^#BAD//" <ns3/named.conf.in >ns3/named.conf.tmp
+ copy_setports ns3/named.conf.tmp ns3/named.conf
+ rm ns3/named.conf.tmp
+ $RNDCCMD $ns3 reconfig >/dev/null 2>&1 && setret "failed"
+ sleep 1
+ copy_setports ns3/named.conf.in ns3/named.conf
+ $RNDCCMD $ns3 reconfig || setret "failed"
+
+ t=$((t + 1))
+ echo_i "checking the configured extended DNS error code (EDE) (${t})"
+ $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t || setret "failed"
+ grep -F "EDE: 4 (Forged Answer)" dig.out.$t >/dev/null || setret "failed"
+ # reload a RPZ zone that is now deliberately broken.
t=$((t + 1))
- echo_i "checking that going from an empty policy zone works (${t})"
- nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
- add_librpz_rule "update add *.x.servfail.policy2 300 CNAME ."
+ echo_i "checking rpz failed update will keep previous rpz rules (${t})"
+ $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.before || setret "failed"
+ grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.before >/dev/null || setret "failed"
+ cp ns3/broken.db.in ns3/manual-update-rpz.db
+ rndc_reload ns3 $ns3 manual-update-rpz
sleep 1
- rndc_reload ns7 $ns7 policy2
- $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed"
- grep NXDOMAIN dig.out.${t} >/dev/null || setret "failed"
+ # ensure previous RPZ rules still apply.
+ $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after || setret "failed"
+ grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed"
t=$((t + 1))
- echo_i "checking that 'ede none' works same way as when \"ede\" is unset (${t})"
- $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed"
- grep -F "EDE: " dig.out.${t} >/dev/null && setret "failed"
+ echo_i "checking the default (unset) extended DNS error code (EDE) (${t})"
+ $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t || setret "failed"
+ grep -F "EDE: " dig.out.$t >/dev/null && setret "failed"
t=$((t + 1))
- echo_i "checking that 'add-soa no' at rpz zone level works (${t})"
- $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed"
- grep SOA dig.out.${t} >/dev/null && setret "failed"
+ echo_i "checking reload of a mixed-case RPZ zone (${t})"
+ # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should
+ # cause a6-2.tld2 NOERROR answers to be rewritten to NXDOMAIN answers.
+ $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.before || setret "failed"
+ grep "status: NXDOMAIN" dig.out.$t.before >/dev/null || setret "failed"
+ # Add a sibling name (a6-1.tld2.mixed-case-rpz, with "tld2" in lowercase
+ # rather than uppercase) before A6-2.TLD.mixed-case-rpz.
+ nextpart ns3/named.run >/dev/null
+ cp ns3/mixed-case-rpz-2.db.in ns3/mixed-case-rpz.db
+ rndc_reload ns3 $ns3 mixed-case-rpz
+ wait_for_log 20 "rpz: mixed-case-rpz: reload done" ns3/named.run
+ # a6-2.tld2 NOERROR answers should still be rewritten to NXDOMAIN answers.
+ # (The bug we try to trigger here caused a6-2.tld2.mixed-case-rpz to be
+ # erroneously removed from the summary RPZ database after reload.)
+ $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.after || setret "failed"
+ grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed"
+fi
- if [ native = "$mode" ]; then
- t=$((t + 1))
- echo_i "checking that 'add-soa yes' at response-policy level works (${t})"
- $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} || setret "failed"
- grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed"
- fi
+t=$((t + 1))
+echo_i "checking that ttl values are not zeroed when qtype is '*' (${t})"
+$DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 >dig.out.$t || setret "failed"
+ttl=$(awk '/a3-2 tld2 text/ {print $2}' dig.out.$t)
+if test ${ttl:=0} -eq 0; then setret "failed"; fi
+
+t=$((t + 1))
+echo_i "checking rpz updates/transfers with parent nodes added after children (${t})"
+# regression test for RT #36272: the success condition
+# is the secondary server not crashing.
+for i in 1 2 3 4 5; do
+ nsd $ns5 add example.com.policy1. '*.example.com.policy1.'
+ nsd $ns5 delete example.com.policy1. '*.example.com.policy1.'
+done
+for i in 1 2 3 4 5; do
+ nsd $ns5 add '*.example.com.policy1.' example.com.policy1.
+ nsd $ns5 delete '*.example.com.policy1.' example.com.policy1.
+done
- if [ native = "$mode" ]; then
- t=$((t + 1))
- echo_i "reconfiguring server with 'add-soa no' (${t})"
- cp ns3/named.conf ns3/named.conf.tmp
- sed -e "s/add-soa yes/add-soa no/g" <ns3/named.conf.tmp >ns3/named.conf
- rndc_reconfig ns3 $ns3
- echo_i "checking that 'add-soa no' at response-policy level works (${t})"
- $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} || setret "failed"
- grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null && setret "failed"
- fi
+t=$((t + 1))
+echo_i "checking that going from an empty policy zone works (${t})"
+nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
+add_librpz_rule "update add *.x.servfail.policy2 300 CNAME ."
+sleep 1
+rndc_reload ns7 $ns7 policy2
+$DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed"
+grep NXDOMAIN dig.out.${t} >/dev/null || setret "failed"
+
+t=$((t + 1))
+echo_i "checking that 'ede none' works same way as when \"ede\" is unset (${t})"
+$DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed"
+grep -F "EDE: " dig.out.${t} >/dev/null && setret "failed"
+
+t=$((t + 1))
+echo_i "checking that 'add-soa no' at rpz zone level works (${t})"
+$DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed"
+grep SOA dig.out.${t} >/dev/null && setret "failed"
+
+if [ native = "$MODE" ]; then
+ t=$((t + 1))
+ echo_i "checking that 'add-soa yes' at response-policy level works (${t})"
+ $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} || setret "failed"
+ grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed"
+fi
- if [ native = "$mode" ]; then
- t=$((t + 1))
- echo_i "checking that 'add-soa unset' works (${t})"
- $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 >dig.out.${t} || setret "failed"
- grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed"
- fi
+if [ native = "$MODE" ]; then
+ t=$((t + 1))
+ echo_i "reconfiguring server with 'add-soa no' (${t})"
+ cp ns3/named.conf ns3/named.conf.tmp
+ sed -e "s/add-soa yes/add-soa no/g" <ns3/named.conf.tmp >ns3/named.conf
+ rndc_reconfig ns3 $ns3
+ echo_i "checking that 'add-soa no' at response-policy level works (${t})"
+ $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} || setret "failed"
+ grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null && setret "failed"
+fi
- # dnsrps does not allow NS RRs in policy zones, so this check
- # with dnsrps results in no rewriting.
- if [ native = "$mode" ]; then
- t=$((t + 1))
- echo_i "checking rpz with delegation fails correctly (${t})"
- $DIG -p ${PORT} @$ns3 ns example.com >dig.out.$t || setret "failed"
- grep "status: SERVFAIL" dig.out.$t >/dev/null || setret "failed"
+if [ native = "$MODE" ]; then
+ t=$((t + 1))
+ echo_i "checking that 'add-soa unset' works (${t})"
+ $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 >dig.out.${t} || setret "failed"
+ grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed"
+fi
- t=$((t + 1))
- echo_i "checking policies from expired zone are no longer in effect ($t)"
- $DIG -p ${PORT} @$ns3 a expired >dig.out.$t || setret "failed"
- grep "expired.*10.0.0.10" dig.out.$t >/dev/null && setret "failed"
- grep "fast-expire/IN: response-policy zone expired" ns3/named.run >/dev/null || setret "failed"
- fi
+# dnsrps does not allow NS RRs in policy zones, so this check
+# with dnsrps results in no rewriting.
+if [ native = "$MODE" ]; then
+ t=$((t + 1))
+ echo_i "checking rpz with delegation fails correctly (${t})"
+ $DIG -p ${PORT} @$ns3 ns example.com >dig.out.$t || setret "failed"
+ grep "status: SERVFAIL" dig.out.$t >/dev/null || setret "failed"
- # RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 scenarios.
- produce_librpz_rules ns9 rpz rpz
- for label in a-only no-a-no-aaaa a-plus-aaaa; do
- for type in AAAA A; do
- t=$((t + 1))
- case $label in
- a-only)
- echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})"
- ;;
- no-a-no-aaaa)
- echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})"
- ;;
- a-plus-aaaa)
- echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})"
- ;;
- esac
- ret=0
- $DIG ${label}.example -p ${PORT} $type @10.53.0.9 >dig.out.${t} || setret "failed"
- grep "status: NOERROR" dig.out.$t >/dev/null || ret=1
- grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t >/dev/null || ret=1
- grep "^rpz" dig.out.$t >/dev/null || ret=1
- [ $ret -eq 0 ] || echo_i "failed"
- status=$((status + ret))
- done
- done
+ t=$((t + 1))
+ echo_i "checking policies from expired zone are no longer in effect ($t)"
+ $DIG -p ${PORT} @$ns3 a expired >dig.out.$t || setret "failed"
+ grep "expired.*10.0.0.10" dig.out.$t >/dev/null && setret "failed"
+ grep "fast-expire/IN: response-policy zone expired" ns3/named.run >/dev/null || setret "failed"
+fi
- if [ native = "$mode" ]; then
+# RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 scenarios.
+produce_librpz_rules ns9 rpz rpz
+for label in a-only no-a-no-aaaa a-plus-aaaa; do
+ for type in AAAA A; do
t=$((t + 1))
- echo_i "checking that rewriting CD=1 queries handles pending data correctly (${t})"
- $RNDCCMD $ns3 flush
- $RNDCCMD $ns6 flush
- $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd >dig.out.${t} || setret "failed"
- grep -w "1.1.1.1" dig.out.${t} >/dev/null || setret "failed"
- fi
-
- [ $status -ne 0 ] && pf=fail || pf=pass
- case $mode in
- native)
- native=$status
- echo_i "status (native RPZ sub-test): $status ($pf)"
- ;;
-
- dnsrps)
- dnsrps=$status
- echo_i "status (DNSRPS sub-test): $status ($pf)"
- ;;
- *) echo_i "invalid test mode" ;;
- esac
+ case $label in
+ a-only)
+ echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})"
+ ;;
+ no-a-no-aaaa)
+ echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})"
+ ;;
+ a-plus-aaaa)
+ echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})"
+ ;;
+ esac
+ ret=0
+ $DIG ${label}.example -p ${PORT} $type @10.53.0.9 >dig.out.${t} || setret "failed"
+ grep "status: NOERROR" dig.out.$t >/dev/null || ret=1
+ grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t >/dev/null || ret=1
+ grep "^rpz" dig.out.$t >/dev/null || ret=1
+ [ $ret -eq 0 ] || echo_i "failed"
+ status=$((status + ret))
+ done
done
-status=$((native + dnsrps))
+
+if [ native = "$MODE" ]; then
+ t=$((t + 1))
+ echo_i "checking that rewriting CD=1 queries handles pending data correctly (${t})"
+ $RNDCCMD $ns3 flush
+ $RNDCCMD $ns6 flush
+ $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd >dig.out.${t} || setret "failed"
+ grep -w "1.1.1.1" dig.out.${t} >/dev/null || setret "failed"
+fi
[ $status -eq 0 ] || exit 1
t=0
export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache
-DEBUG=
ARGS=
+if grep 'dnsrps-enable yes;' dnsrps.conf >/dev/null; then
+ MODE=dnsrps
+else
+ MODE=native
+fi
-USAGE="$0: [-xS]"
-while getopts "xS:" c; do
+USAGE="$0: [-S]"
+while getopts "S:" c; do
case $c in
- x)
- set -x
- DEBUG=-x
- ARGS="$ARGS -x"
- ;;
S)
SAVE_RESULTS=-S
ARGS="$ARGS -S"
done
}
-native=0
-dnsrps=0
-for mode in native dnsrps; do
- status=0
- case $mode in
- native)
- if [ -e dnsrps-only ]; then
- echo_i "'dnsrps-only' found: skipping native RPZ sub-test"
- continue
- else
- echo_i "running native RPZ sub-test"
- fi
- ;;
- dnsrps)
- if [ -e dnsrps-off ]; then
- echo_i "'dnsrps-off' found: skipping DNSRPS sub-test"
- continue
- fi
- echo_i "attempting to configure servers with DNSRPS..."
- stop_server --use-rndc --port ${CONTROLPORT}
- $SHELL ./setup.sh -N -D $DEBUG
- sed -n 's/^## //p' dnsrps.conf | cat_i
- if grep '^#fail' dnsrps.conf >/dev/null; then
- echo_i "exit status: 1"
- exit 1
- fi
- if grep '^#skip' dnsrps.conf >/dev/null; then
- echo_i "DNSRPS sub-test skipped"
- continue
- else
- echo_i "running DNSRPS sub-test"
- start_server --noclean --restart --port ${PORT}
- sleep 3
- fi
- ;;
- esac
-
- # show whether and why DNSRPS is enabled or disabled
- sed -n 's/^## //p' dnsrps.conf | cat_i
-
- t=$((t + 1))
- echo_i "testing that l1.l0 exists without RPZ (${t})"
- add_test_marker 10.53.0.2
- $DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
- grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
- echo_i "test ${t} failed"
- status=1
- }
-
- t=$((t + 1))
- echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
- add_test_marker 10.53.0.2
- $DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
- grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || {
- echo_i "test ${t} failed"
- status=1
- }
+t=$((t + 1))
+echo_i "testing that l1.l0 exists without RPZ (${t})"
+add_test_marker 10.53.0.2
+$DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
+grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
+ echo_i "test ${t} failed"
+ status=1
+}
- # Group 1
- run_server 1a
- expect_norecurse 1a 1
- run_server 1b
- expect_norecurse 1b 1
- expect_recurse 1b 2
- run_server 1c
- expect_norecurse 1c 1
-
- # Group 2
- run_server 2a
- for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
- 21 22 23 24 25 26 27 28 29 30 31 32; do
- expect_norecurse 2a $n
- done
- expect_recurse 2a 33
-
- # Group 3
- run_server 3a
- expect_recurse 3a 1
- run_server 3b
- expect_recurse 3b 1
- run_server 3c
- expect_recurse 3c 1
- run_server 3d
- expect_norecurse 3d 1
- expect_recurse 3d 2
- run_server 3e
- expect_norecurse 3e 1
- expect_recurse 3e 2
- run_server 3f
- expect_norecurse 3f 1
- expect_recurse 3f 2
-
- # Group 4
- testlist="aa ap bf"
- values="1 16 32"
- # Uncomment the following to test every skip value instead of
- # only a sample of values
- #
- #testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \
- # aq ar as at au av aw ax ay az ba bb bc bd be bf"
- #values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
- # 21 22 23 24 25 26 27 28 29 30 31 32"
- set -- $values
- for n in $testlist; do
- run_server 4$n
- ni=$1
- t=$((t + 1))
- echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
- add_test_marker 10.53.0.2
- c=0
- for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \
- 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do
- run_query 4$n $i || c=$((c + 1))
- done
- skipped=$((33 - c))
- if [ $skipped != $ni ]; then
- echo_i "test $t failed (actual=$skipped, expected=$ni)"
- status=1
- fi
- shift
- done
+t=$((t + 1))
+echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
+add_test_marker 10.53.0.2
+$DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
+grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || {
+ echo_i "test ${t} failed"
+ status=1
+}
- # Group 5
- run_server 5a
- expect_norecurse 5a 1
- expect_norecurse 5a 2
- expect_recurse 5a 3
- expect_recurse 5a 4
- expect_recurse 5a 5
- expect_recurse 5a 6
-
- # Group 6
- echo_i "check recursive behavior consistency during policy update races"
- run_server 6a
- sleep 1
- t=$((t + 1))
- echo_i "running dig to cache CNAME record (${t})"
- add_test_marker 10.53.0.1 10.53.0.2
- $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
- sleep 1
- echo_i "suspending authority server"
- PID=$(cat ns1/named.pid)
- kill -STOP $PID
- echo_i "adding an NSDNAME policy"
- cp ns2/db.6a.00.policy.local ns2/saved.policy.local
- cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
- $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
- test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
- sleep 1
+# Group 1
+run_server 1a
+expect_norecurse 1a 1
+run_server 1b
+expect_norecurse 1b 1
+expect_recurse 1b 2
+run_server 1c
+expect_norecurse 1c 1
+
+# Group 2
+run_server 2a
+for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
+ 21 22 23 24 25 26 27 28 29 30 31 32; do
+ expect_norecurse 2a $n
+done
+expect_recurse 2a 33
+
+# Group 3
+run_server 3a
+expect_recurse 3a 1
+run_server 3b
+expect_recurse 3b 1
+run_server 3c
+expect_recurse 3c 1
+run_server 3d
+expect_norecurse 3d 1
+expect_recurse 3d 2
+run_server 3e
+expect_norecurse 3e 1
+expect_recurse 3e 2
+run_server 3f
+expect_norecurse 3f 1
+expect_recurse 3f 2
+
+# Group 4
+testlist="aa ap bf"
+values="1 16 32"
+# Uncomment the following to test every skip value instead of
+# only a sample of values
+#
+#testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \
+# aq ar as at au av aw ax ay az ba bb bc bd be bf"
+#values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
+# 21 22 23 24 25 26 27 28 29 30 31 32"
+set -- $values
+for n in $testlist; do
+ run_server 4$n
+ ni=$1
t=$((t + 1))
- echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
+ echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
add_test_marker 10.53.0.2
- $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
- sleep 1
- echo_i "removing the NSDNAME policy"
- cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local
- $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
- test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
- sleep 1
- echo_i "resuming authority server"
- PID=$(cat ns1/named.pid)
- kill -CONT $PID
- add_test_marker 10.53.0.1
- for n in 1 2 3 4 5 6 7 8 9; do
- sleep 1
- [ -s dig.out.${t} ] || continue
- grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
+ c=0
+ for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \
+ 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do
+ run_query 4$n $i || c=$((c + 1))
done
- grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
- echo_i "test ${t} failed"
+ skipped=$((33 - c))
+ if [ $skipped != $ni ]; then
+ echo_i "test $t failed (actual=$skipped, expected=$ni)"
status=1
- }
+ fi
+ shift
+done
- echo_i "check recursive behavior consistency during policy removal races"
- cp ns2/saved.policy.local ns2/db.6a.00.policy.local
- run_server 6a
+# Group 5
+run_server 5a
+expect_norecurse 5a 1
+expect_norecurse 5a 2
+expect_recurse 5a 3
+expect_recurse 5a 4
+expect_recurse 5a 5
+expect_recurse 5a 6
+
+# Group 6
+echo_i "check recursive behavior consistency during policy update races"
+run_server 6a
+sleep 1
+t=$((t + 1))
+echo_i "running dig to cache CNAME record (${t})"
+add_test_marker 10.53.0.1 10.53.0.2
+$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
+sleep 1
+echo_i "suspending authority server"
+PID=$(cat ns1/named.pid)
+kill -STOP $PID
+echo_i "adding an NSDNAME policy"
+cp ns2/db.6a.00.policy.local ns2/saved.policy.local
+cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
+$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
+test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
+sleep 1
+t=$((t + 1))
+echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
+add_test_marker 10.53.0.2
+$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
+sleep 1
+echo_i "removing the NSDNAME policy"
+cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local
+$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
+test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
+sleep 1
+echo_i "resuming authority server"
+PID=$(cat ns1/named.pid)
+kill -CONT $PID
+add_test_marker 10.53.0.1
+for n in 1 2 3 4 5 6 7 8 9; do
sleep 1
- t=$((t + 1))
- echo_i "running dig to cache CNAME record (${t})"
- add_test_marker 10.53.0.1 10.53.0.2
- $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
- sleep 1
- echo_i "suspending authority server"
- PID=$(cat ns1/named.pid)
- kill -STOP $PID
- echo_i "adding an NSDNAME policy"
- cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
- $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
- test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
- sleep 1
- t=$((t + 1))
- echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
- add_test_marker 10.53.0.2
- $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
- sleep 1
- echo_i "removing the policy zone"
- cp ns2/named.default.conf ns2/named.conf
- rndc_reconfig ns2 10.53.0.2
- test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
+ [ -s dig.out.${t} ] || continue
+ grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
+done
+grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
+ echo_i "test ${t} failed"
+ status=1
+}
+
+echo_i "check recursive behavior consistency during policy removal races"
+cp ns2/saved.policy.local ns2/db.6a.00.policy.local
+run_server 6a
+sleep 1
+t=$((t + 1))
+echo_i "running dig to cache CNAME record (${t})"
+add_test_marker 10.53.0.1 10.53.0.2
+$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
+sleep 1
+echo_i "suspending authority server"
+PID=$(cat ns1/named.pid)
+kill -STOP $PID
+echo_i "adding an NSDNAME policy"
+cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
+$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
+test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
+sleep 1
+t=$((t + 1))
+echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
+add_test_marker 10.53.0.2
+$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
+sleep 1
+echo_i "removing the policy zone"
+cp ns2/named.default.conf ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
+sleep 1
+echo_i "resuming authority server"
+PID=$(cat ns1/named.pid)
+kill -CONT $PID
+add_test_marker 10.53.0.1
+for n in 1 2 3 4 5 6 7 8 9; do
sleep 1
- echo_i "resuming authority server"
- PID=$(cat ns1/named.pid)
- kill -CONT $PID
- add_test_marker 10.53.0.1
- for n in 1 2 3 4 5 6 7 8 9; do
- sleep 1
- [ -s dig.out.${t} ] || continue
- grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
- done
- grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
- echo_i "test ${t} failed"
+ [ -s dig.out.${t} ] || continue
+ grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
+done
+grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
+ echo_i "test ${t} failed"
+ status=1
+}
+
+# Check maximum number of RPZ zones (64)
+t=$((t + 1))
+echo_i "testing maximum number of RPZ zones (${t})"
+add_test_marker 10.53.0.2
+run_server max
+i=1
+while test $i -le 64; do
+ $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i}
+ grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || {
+ echo_i "test $t failed: didn't get expected answer from policy zone $i"
status=1
}
+ i=$((i + 1))
+done
- # Check maximum number of RPZ zones (64)
- t=$((t + 1))
- echo_i "testing maximum number of RPZ zones (${t})"
- add_test_marker 10.53.0.2
- run_server max
- i=1
- while test $i -le 64; do
- $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i}
- grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || {
- echo_i "test $t failed: didn't get expected answer from policy zone $i"
- status=1
- }
- i=$((i + 1))
- done
+# Check CLIENT-IP behavior
+t=$((t + 1))
+echo_i "testing CLIENT-IP behavior (${t})"
+add_test_marker 10.53.0.2
+run_server clientip
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
+grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
+ echo_i "test $t failed: query failed"
+ status=1
+}
+grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || {
+ echo_i "test $t failed: didn't get expected answer"
+ status=1
+}
- # Check CLIENT-IP behavior
- t=$((t + 1))
- echo_i "testing CLIENT-IP behavior (${t})"
- add_test_marker 10.53.0.2
- run_server clientip
- $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
- grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
- echo_i "test $t failed: query failed"
- status=1
- }
- grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || {
- echo_i "test $t failed: didn't get expected answer"
- status=1
- }
+# Check CLIENT-IP behavior #2
+t=$((t + 1))
+echo_i "testing CLIENT-IP behavior #2 (${t})"
+add_test_marker 10.53.0.2
+run_server clientip2
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1
+grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || {
+ echo_i "test $t failed: query failed"
+ status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || {
+ echo_i "test $t failed: query failed"
+ status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3
+grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || {
+ echo_i "test $t failed: query failed"
+ status=1
+}
+grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || {
+ echo_i "test $t failed: didn't get expected answer"
+ status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4
+grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || {
+ echo_i "test $t failed: query failed"
+ status=1
+}
- # Check CLIENT-IP behavior #2
- t=$((t + 1))
- echo_i "testing CLIENT-IP behavior #2 (${t})"
- add_test_marker 10.53.0.2
- run_server clientip2
- $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1
- grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || {
- echo_i "test $t failed: query failed"
- status=1
- }
- $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2
- grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || {
- echo_i "test $t failed: query failed"
- status=1
- }
- $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3
- grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || {
- echo_i "test $t failed: query failed"
- status=1
- }
- grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || {
- echo_i "test $t failed: didn't get expected answer"
- status=1
- }
- $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4
- grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || {
- echo_i "test $t failed: query failed"
- status=1
- }
+# Check RPZ log clause
+t=$((t + 1))
+echo_i "testing RPZ log clause (${t})"
+add_test_marker 10.53.0.2
+run_server log
+cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run)
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t}
+sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" >/dev/null && {
+ echo_ic "failed: unexpected rewrite message for policy zone log1 was logged"
+ status=1
+}
+sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" >/dev/null || {
+ echo_ic "failed: expected rewrite message for policy zone log2 was not logged"
+ status=1
+}
+sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" >/dev/null || {
+ echo_ic "failed: expected rewrite message for policy zone log3 was not logged"
+ status=1
+}
- # Check RPZ log clause
- t=$((t + 1))
- echo_i "testing RPZ log clause (${t})"
- add_test_marker 10.53.0.2
- run_server log
- cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run)
- $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
- $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t}
- $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t}
- sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" >/dev/null && {
- echo_ic "failed: unexpected rewrite message for policy zone log1 was logged"
- status=1
- }
- sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" >/dev/null || {
- echo_ic "failed: expected rewrite message for policy zone log2 was not logged"
- status=1
- }
- sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" >/dev/null || {
- echo_ic "failed: expected rewrite message for policy zone log3 was not logged"
- status=1
- }
+# Check wildcard behavior
- # Check wildcard behavior
+t=$((t + 1))
+echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
+add_test_marker 10.53.0.2
+run_server wildcard1
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
+ echo_i "test ${t} failed"
+ status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
+ echo_i "test ${t} failed"
+ status=1
+}
- t=$((t + 1))
- echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
- add_test_marker 10.53.0.2
- run_server wildcard1
- $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
- grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
- echo_i "test ${t} failed"
- status=1
- }
- $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
- grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
- echo_i "test ${t} failed"
- status=1
- }
+t=$((t + 1))
+echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
+add_test_marker 10.53.0.2
+run_server wildcard2
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
+ echo_i "test ${t} failed"
+ status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
+ echo_i "test ${t} failed"
+ status=1
+}
- t=$((t + 1))
- echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
- add_test_marker 10.53.0.2
- run_server wildcard2
- $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
- grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
- echo_i "test ${t} failed"
- status=1
- }
- $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
- grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
- echo_i "test ${t} failed"
- status=1
- }
+t=$((t + 1))
+echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
+add_test_marker 10.53.0.2
+run_server wildcard3
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
+ echo_i "test ${t} failed"
+ status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
+grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
+ echo_i "test ${t} failed"
+ status=1
+}
- t=$((t + 1))
- echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
- add_test_marker 10.53.0.2
- run_server wildcard3
- $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
- grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
- echo_i "test ${t} failed"
- status=1
- }
- $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
- grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
- echo_i "test ${t} failed"
- status=1
- }
+t=$((t + 1))
+echo_i "testing wildcard passthru before explicit drop (${t})"
+add_test_marker 10.53.0.2
+run_server wildcard4
+$DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
+grep "status: NOERROR" dig.out.${t}.1 >/dev/null || {
+ echo_i "test ${t} failed"
+ status=1
+}
+$DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
+grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
+ echo_i "test ${t} failed"
+ status=1
+}
+if [ "$MODE" = "native" ]; then
+ # Check for invalid prefix length error
t=$((t + 1))
- echo_i "testing wildcard passthru before explicit drop (${t})"
+ echo_i "testing for invalid prefix length error (${t})"
add_test_marker 10.53.0.2
- run_server wildcard4
- $DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
- grep "status: NOERROR" dig.out.${t}.1 >/dev/null || {
- echo_i "test ${t} failed"
- status=1
- }
- $DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
- grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
- echo_i "test ${t} failed"
+ run_server invalidprefixlength
+ grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || {
+ echo_ic "failed: expected that invalid prefix length error would be logged"
status=1
}
+fi
- if [ "$mode" = "native" ]; then
- # Check for invalid prefix length error
- t=$((t + 1))
- echo_i "testing for invalid prefix length error (${t})"
- add_test_marker 10.53.0.2
- run_server invalidprefixlength
- grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || {
- echo_ic "failed: expected that invalid prefix length error would be logged"
- status=1
- }
- fi
-
- if [ "$mode" = "native" ]; then
- t=$((t + 1))
- echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
- add_test_marker 10.53.0.2 10.53.0.3
- echo_i "timing 'nsip-wait-recurse yes' (default)"
- produce_librpz_rules ns3 policy policy
- ret=0
- t1=$($PERL -e 'print time()."\n";')
- $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
- t2=$($PERL -e 'print time()."\n";')
- p1=$((t2 - t1))
- echo_i "elapsed time $p1 seconds"
-
- $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
- copy_setports ns3/named2.conf.in ns3/named.conf
- nextpart ns3/named.run >/dev/null
- $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
- wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
-
- echo_i "timing 'nsip-wait-recurse no'"
- echo "update zone policy 0 no_nsip_wait_recurse" >$DNSRPS_TEST_UPDATE_FILE
- t3=$($PERL -e 'print time()."\n";')
- $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
- t4=$($PERL -e 'print time()."\n";')
- p2=$((t4 - t3))
- echo_i "elapsed time $p2 seconds"
-
- if test $p1 -le $p2; then ret=1; fi
- if test $ret != 0; then echo_i "failed"; fi
- status=$((status + ret))
-
- $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
- # restore original named.conf
- copy_setports ns3/named1.conf.in ns3/named.conf
- nextpart ns3/named.run >/dev/null
- $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
- wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
-
- t=$((t + 1))
- echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
- add_test_marker 10.53.0.2 10.53.0.3
- echo_i "timing 'nsdname-wait-recurse yes' (default)"
- ret=0
- t1=$($PERL -e 'print time()."\n";')
- $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
- t2=$($PERL -e 'print time()."\n";')
- p1=$((t2 - t1))
- echo_i "elapsed time $p1 seconds"
-
- $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
- copy_setports ns3/named3.conf.in ns3/named.conf
- nextpart ns3/named.run >/dev/null
- $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
- wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
-
- echo_i "timing 'nsdname-wait-recurse no'"
- t3=$($PERL -e 'print time()."\n";')
- $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
- t4=$($PERL -e 'print time()."\n";')
- p2=$((t4 - t3))
- echo_i "elapsed time $p2 seconds"
-
- if test $p1 -le $p2; then ret=1; fi
- if test $ret != 0; then echo_i "failed"; fi
- status=$((status + ret))
- fi
+if [ "$MODE" = "native" ]; then
+ t=$((t + 1))
+ echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
+ add_test_marker 10.53.0.2 10.53.0.3
+ echo_i "timing 'nsip-wait-recurse yes' (default)"
+ produce_librpz_rules ns3 policy policy
+ ret=0
+ t1=$($PERL -e 'print time()."\n";')
+ $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
+ t2=$($PERL -e 'print time()."\n";')
+ p1=$((t2 - t1))
+ echo_i "elapsed time $p1 seconds"
+
+ $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
+ copy_setports ns3/named2.conf.in ns3/named.conf
+ nextpart ns3/named.run >/dev/null
+ $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
+ wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
+
+ echo_i "timing 'nsip-wait-recurse no'"
+ echo "update zone policy 0 no_nsip_wait_recurse" >$DNSRPS_TEST_UPDATE_FILE
+ t3=$($PERL -e 'print time()."\n";')
+ $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
+ t4=$($PERL -e 'print time()."\n";')
+ p2=$((t4 - t3))
+ echo_i "elapsed time $p2 seconds"
+
+ if test $p1 -le $p2; then ret=1; fi
+ if test $ret != 0; then echo_i "failed"; fi
+ status=$((status + ret))
+
+ $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
+ # restore original named.conf
+ copy_setports ns3/named1.conf.in ns3/named.conf
+ nextpart ns3/named.run >/dev/null
+ $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
+ wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
- [ $status -ne 0 ] && pf=fail || pf=pass
- case $mode in
- native)
- native=$status
- echo_i "status (native RPZ sub-test): $status ($pf)"
- ;;
- dnsrps)
- dnsrps=$status
- echo_i "status (DNSRPS sub-test): $status ($pf)"
- ;;
- *) echo_i "invalid test mode" ;;
- esac
-done
-status=$((native + dnsrps))
+ t=$((t + 1))
+ echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
+ add_test_marker 10.53.0.2 10.53.0.3
+ echo_i "timing 'nsdname-wait-recurse yes' (default)"
+ ret=0
+ t1=$($PERL -e 'print time()."\n";')
+ $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
+ t2=$($PERL -e 'print time()."\n";')
+ p1=$((t2 - t1))
+ echo_i "elapsed time $p1 seconds"
+
+ $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
+ copy_setports ns3/named3.conf.in ns3/named.conf
+ nextpart ns3/named.run >/dev/null
+ $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
+ wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
+
+ echo_i "timing 'nsdname-wait-recurse no'"
+ t3=$($PERL -e 'print time()."\n";')
+ $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
+ t4=$($PERL -e 'print time()."\n";')
+ p2=$((t4 - t3))
+ echo_i "elapsed time $p2 seconds"
+
+ if test $p1 -le $p2; then ret=1; fi
+ if test $ret != 0; then echo_i "failed"; fi
+ status=$((status + ret))
+fi
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
