From 04da28bdff25727fa3c475a6cbfe695aa1918b28 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 4 Jul 2019 15:58:13 +1000 Subject: [PATCH] test max records policy --- bin/tests/system/nsupdate/clean.sh | 2 + bin/tests/system/nsupdate/ns6/named.conf.in | 2 +- bin/tests/system/nsupdate/tests.sh | 59 +++++++++++++++++++++ 3 files changed, 62 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index ef5ec56e655..9b8af4a7ff0 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -60,3 +60,5 @@ rm -f update.out.* rm -f check.out.* rm -f update.out.* rm -f ns*/managed-keys.bind* ns*/*.mkeys* +rm -f nextpart.out.* +rm -f */named.run.prev diff --git a/bin/tests/system/nsupdate/ns6/named.conf.in b/bin/tests/system/nsupdate/ns6/named.conf.in index da64d061e42..b4ec11a3262 100644 --- a/bin/tests/system/nsupdate/ns6/named.conf.in +++ b/bin/tests/system/nsupdate/ns6/named.conf.in @@ -34,5 +34,5 @@ controls { zone "in-addr.arpa" { type master; file "in-addr.db"; - update-policy { grant * tcp-self . PTR; }; + update-policy { grant * tcp-self . PTR(1) ANY(2) A; }; }; diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 1cbe04b15e7..4c5b7391131 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -1031,6 +1031,65 @@ grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1 grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } +n=`expr $n + 1` +ret=0 +echo_i "check that max records is enforced ($n)" +nextpart ns6/named.run > /dev/null +$NSUPDATE -v > nsupdate.out.$n 2>&1 << END +server 10.53.0.6 ${PORT} +local 10.53.0.5 +update del 5.0.53.10.in-addr.arpa. +update add 5.0.53.10.in-addr.arpa. 600 PTR localhost. +update add 5.0.53.10.in-addr.arpa. 600 PTR other. +send +END +$DIG $DIGOPTS @10.53.0.6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 10.53.0.5 > dig.out.ns6.$n +# the policy is 'grant * tcp-self . PTR(1) ANY(2) A;' so only the +# first PTR record should be added. +grep localhost. dig.out.ns6.$n > /dev/null 2>&1 || ret=1 +grep other. dig.out.ns6.$n > /dev/null 2>&1 && ret=1 +nextpart ns6/named.run > nextpart.out.$n +grep "attempt to add more records than permitted by policy" nextpart.out.$n > /dev/null || ret=1 +if test $ret -ne 0 +then +echo_i "failed"; status=1 +fi + +n=`expr $n + 1` +ret=0 +echo_i "check that max records for ANY is enforced ($n)" +nextpart ns6/named.run > /dev/null +$NSUPDATE -v > nsupdate.out.$n 2>&1 << END +server 10.53.0.6 ${PORT} +local 10.53.0.5 +update del 5.0.53.10.in-addr.arpa. +update add 5.0.53.10.in-addr.arpa. 600 A 1.2.3.4 +update add 5.0.53.10.in-addr.arpa. 600 A 1.2.3.3 +update add 5.0.53.10.in-addr.arpa. 600 A 1.2.3.2 +update add 5.0.53.10.in-addr.arpa. 600 AAAA ::ffff:1.2.3.4 +update add 5.0.53.10.in-addr.arpa. 600 AAAA ::ffff:1.2.3.3 +update add 5.0.53.10.in-addr.arpa. 600 AAAA ::ffff:1.2.3.2 +send +END +$DIG $DIGOPTS @10.53.0.6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + ANY -x 10.53.0.5 > dig.out.ns6.test$n +nextpart ns6/named.run > nextpart.out.test$n +grep "attempt to add more records than permitted by policy" nextpart.out.test$n > /dev/null || ret=1 +# the policy is 'grant * tcp-self . PTR(1) ANY(2) A;' so all the A +# records should have been added as there is no limit and the first 2 +# of the AAAA records added as they match ANY(2). +c1=$(awk '$4 == "A" { print }' dig.out.ns6.test$n | wc -l) +c2=$(awk '$4 == "AAAA" { print }' dig.out.ns6.test$n | wc -l) +test "$c1" -eq 3 -a "$c2" -eq 2 || ret=1 +grep "::ffff:1.2.3.2" dig.out.ns6.test$n && ret=1 +if test $ret -ne 0 +then +echo_i "failed"; status=1 +fi + if $FEATURETEST --gssapi ; then n=`expr $n + 1` ret=0 -- 2.47.3