fi
status=$((status + ret))
+n=$((n + 1))
+echo_i "check 'recursion yes;' is warned and disabled in a non-IN view ($n)"
+ret=0
+$CHECKCONF warn-chaos-recursion.conf >checkconf.out$n 2>&1 || ret=1
+grep -F "recursion will be disabled" checkconf.out$n >/dev/null || ret=1
+if [ $ret != 0 ]; then
+ echo_i "failed"
+ ret=1
+fi
+status=$((status + ret))
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
--- /dev/null
+options {
+ directory ".";
+};
+
+view chaos ch {
+ match-clients { any; };
+ recursion yes;
+ zone "." {
+ type hint;
+ file "chaos.hints";
+ };
+};
--- /dev/null
+. CH NS ns.root.
+ns.root. CH A ns.root. 1
+ns.root. CH AAAA \# 1 00
+
--- /dev/null
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view chaos ch {
+ match-clients { any; };
+ recursion yes;
+ zone "." {
+ type hint;
+ file "chaos.db";
+ };
+ zone "version.bind" {
+ type primary;
+ database "_builtin version";
+ };
+};
--- /dev/null
+$TTL 300
+@ CH SOA ns.example. hostmaster.example. 1 3600 1200 604800 300
+@ CH NS ns.example.
+ns CH TXT "ns"
+a CH A target.example. 1
+target CH TXT "target"
--- /dev/null
+$ORIGIN 1.0.0.127.in-addr.arpa.
+$TTL 300
+@ IN SOA ns hostmaster 1 3600 900 604800 300
+@ IN NS ns
+ns IN A 127.0.0.1
+@ IN KX 10 target.example.
--- /dev/null
+options {
+ directory ".";
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view default {
+ match-clients { any; };
+ recursion no;
+ dnssec-validation no;
+ zone "1.0.0.127.in-addr.arpa." {
+ type primary;
+ file "localhost.db";
+ update-policy {
+ grant * tcp-self . ANY;
+ };
+ };
+};
+
+view chaos ch {
+ match-clients { any; };
+ recursion no;
+ zone example {
+ type primary;
+ file "example.db";
+ allow-update { any; };
+ };
+};
--- /dev/null
+options {
+ directory ".";
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view chaos ch {
+ match-clients { any; };
+ recursion yes;
+ dnssec-validation no;
+ forward only;
+ forwarders port @PORT@ { 10.53.0.2; };
+ deny-answer-addresses { 0.0.0.0/0; ::/0; };
+};
--- /dev/null
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+cp ns1/chaos.db.in ns1/chaos.db
+cp ns2/example.db.in ns2/example.db
+cp ns2/localhost.db.in ns2/localhost.db
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+import dns.opcode
+import pytest
+
+import isctest
+
+pytestmark = pytest.mark.extra_artifacts(
+ [
+ "*/*.db",
+ ]
+)
+
+
+def test_chaos_recursion():
+ msg = isctest.query.create("foo.example.", "TXT", qclass="CH")
+ res = isctest.query.udp(msg, "10.53.0.1")
+ isctest.check.refused(res)
+
+
+def test_chaos_auth():
+ msg = isctest.query.create("a.example.", "A", qclass="CH")
+ res = isctest.query.udp(msg, "10.53.0.2")
+ isctest.check.noerror(res)
+
+
+def test_chaos_forward():
+ msg = isctest.query.create("a.example.", "A", qclass="CH")
+ res = isctest.query.udp(msg, "10.53.0.3")
+ isctest.check.refused(res)
+
+
+def test_chaos_notify():
+ msg = isctest.query.create("example.", "SOA", qclass="CH", rd=False, dnssec=False)
+ msg.set_opcode(dns.opcode.NOTIFY)
+ msg.flags = dns.opcode.to_flags(dns.opcode.NOTIFY)
+ res = isctest.query.udp(msg, "10.53.0.2")
+ isctest.check.notimp(res)
+
+
+def test_query_class_none():
+ msg = isctest.query.create("example.", "A", qclass="NONE")
+ res = isctest.query.udp(msg, "10.53.0.2")
+ isctest.check.formerr(res)
rcode(message, dns.rcode.SERVFAIL)
+def formerr(message: dns.message.Message) -> None:
+ rcode(message, dns.rcode.FORMERR)
+
+
def adflag(message: dns.message.Message) -> None:
assert (message.flags & dns.flags.AD) != 0, str(message)
projects / thirdparty / bind9.git / commitdiff
