From: Mark Andrews <marka@isc.org>
Date: Fri, 7 Jun 2024 03:28:48 +0000 (+1000)
Subject: check 'update-policy 6to4-self' over IPv6
X-Git-Tag: v9.18.29~20^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=80a21e75b8c135a3eec3bc17510224ad30336622;p=thirdparty%2Fbind9.git

check 'update-policy 6to4-self' over IPv6

(cherry picked from commit 3b0de4773bb0d485fbc079152e08a261718005d6)
---

diff --git a/bin/tests/system/ifconfig.sh.in b/bin/tests/system/ifconfig.sh.in
index 9b9acd5faaa..60dbf8b9e6c 100755
--- a/bin/tests/system/ifconfig.sh.in
+++ b/bin/tests/system/ifconfig.sh.in
@@ -20,6 +20,8 @@
 # IPv6: fd92:7065:b8e:ffff::{1..11}		ULA
 #       fd92:7065:b8e:99ff::{1..2}
 #       fd92:7065:b8e:ff::{1..2}
+#       fd92:7065:b8e:fffe::10.53.0.4
+#       2002:0a35:0007::1                       6to4 for 10.53.0.7
 #
 # We also set the MTU on the 1500 bytes to match the default MTU on physical
 # interfaces, so we can properly test the cases with packets bigger than
@@ -240,7 +242,7 @@ sequence() (
 max=11
 case $1 in
   start | up | stop | down)
-    for i in $(sequence 0 2); do
+    for i in $(sequence 0 4); do
       case $i in
         0) ipv6="ff" ;;
         1) ipv6="99" ;;
@@ -250,8 +252,23 @@ case $1 in
       for ns in $(sequence 1 $max); do
         [ $i -gt 0 -a $ns -gt 2 ] && break
         int=$((i * max + ns))
-        a=10.53.$i.$ns
-        aaaa=fd92:7065:b8e:${ipv6}ff::$ns
+        case $i in
+          0 | 1 | 2)
+            [ $i -gt 0 -a $ns -gt 3 ] && break
+            a=10.53.$i.$ns
+            aaaa=fd92:7065:b8e:${ipv6}ff::$ns
+            ;;
+          3)
+            [ $ns -ne 4 ] && continue
+            a=
+            aaaa=fd92:7065:b8e:fffe::10.53.0.$ns
+            ;;
+          4)
+            [ $ns -ne 1 ] && continue
+            a=
+            aaaa=2002:0a35:0007::$ns
+            ;;
+        esac
         case "$1" in
           start | up) up ;;
           stop | down) down ;;
diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in
index 6053924ef87..25ba1410f42 100644
--- a/bin/tests/system/nsupdate/ns10/named.conf.in
+++ b/bin/tests/system/nsupdate/ns10/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.10; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
diff --git a/bin/tests/system/nsupdate/ns5/named.conf.in b/bin/tests/system/nsupdate/ns5/named.conf.in
index e3c4d1b33d0..223abd925e7 100644
--- a/bin/tests/system/nsupdate/ns5/named.conf.in
+++ b/bin/tests/system/nsupdate/ns5/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
diff --git a/bin/tests/system/nsupdate/ns6/named.conf.in b/bin/tests/system/nsupdate/ns6/named.conf.in
index 5ed16235462..e2950aa3b7e 100644
--- a/bin/tests/system/nsupdate/ns6/named.conf.in
+++ b/bin/tests/system/nsupdate/ns6/named.conf.in
@@ -15,10 +15,14 @@ options {
 	query-source address 10.53.0.6;
 	notify-source 10.53.0.6;
 	transfer-source 10.53.0.6;
+	query-source-v6 address fd92:7065:b8e:ffff::6;
+	notify-source-v6 fd92:7065:b8e:ffff::6;
+	transfer-source-v6 fd92:7065:b8e:ffff::6;
 	port @PORT@;
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.6; };
+	listen-on-v6 { fd92:7065:b8e:ffff::6; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
diff --git a/bin/tests/system/nsupdate/ns7/named1.conf.in b/bin/tests/system/nsupdate/ns7/named1.conf.in
index 28d2aeafd5a..0fcdcab7b2e 100644
--- a/bin/tests/system/nsupdate/ns7/named1.conf.in
+++ b/bin/tests/system/nsupdate/ns7/named1.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
diff --git a/bin/tests/system/nsupdate/ns7/named2.conf.in b/bin/tests/system/nsupdate/ns7/named2.conf.in
index e5886e9acdd..8ef779b81c0 100644
--- a/bin/tests/system/nsupdate/ns7/named2.conf.in
+++ b/bin/tests/system/nsupdate/ns7/named2.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
diff --git a/bin/tests/system/nsupdate/ns8/named.conf.in b/bin/tests/system/nsupdate/ns8/named.conf.in
index f69d3adacad..3d9913fc1f7 100644
--- a/bin/tests/system/nsupdate/ns8/named.conf.in
+++ b/bin/tests/system/nsupdate/ns8/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in
index 79a1cb96295..a3d990cd2bb 100644
--- a/bin/tests/system/nsupdate/ns9/named.conf.in
+++ b/bin/tests/system/nsupdate/ns9/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 6ed09f6a79c..916f45bc18f 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -864,6 +864,48 @@ if test $ret -ne 0; then
   status=1
 fi
 
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv6 ($n)"
+REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
+$NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1
+server fd92:7065:b8e:ffff::6 ${PORT}
+local 2002:a35:7::1
+zone 2.0.0.2.ip6.arpa
+update add ${REVERSE_NAME} 600 NS localhost.
+send
+END
+grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @fd92:7065:b8e:ffff::6 \
+  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+  $REVERSE_NAME NS >dig.out.ns6.$n
+grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1
+if test $ret -ne 0; then
+  echo_i "failed"
+  status=1
+fi
+
+n=$((n + 1))
+echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv6 ($n)"
+ret=0
+REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
+$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1
+server fd92:7065:b8e:ffff::6 ${PORT}
+local 2002:a35:7::1
+zone 2.0.0.2.ip6.arpa
+update add ${REVERSE_NAME} 600 NS localhost.
+send
+END
+grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1
+$DIG $DIGOPTS @fd92:7065:b8e:ffff::6 \
+  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+  $REVERSE_NAME NS >dig.out.ns6.$n || ret=1
+grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1
+if test $ret -ne 0; then
+  echo_i "failed"
+  status=1
+fi
+
 n=$((n + 1))
 ret=0
 echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
diff --git a/bin/tests/system/org.isc.bind.system b/bin/tests/system/org.isc.bind.system
index 6c5a8cd4fe0..48a5756eaab 100644
--- a/bin/tests/system/org.isc.bind.system
+++ b/bin/tests/system/org.isc.bind.system
@@ -27,3 +27,5 @@ do
 	ifup 1 99 $ns
 	ifup 2 00 $ns
 done
+/sbin/ifconfig lo0 inet6 fd92:7065:b8e:fffe::10.53.0.4 alias
+/sbin/ifconfig lo0 inet6 2002:a35:7::1 alias