test max records policy

bin/tests/system/nsupdate/clean.sh

@@ -60,3 +60,5 @@ rm -f update.out.*
 rm -f check.out.*
 rm -f update.out.*
 rm -f ns*/managed-keys.bind* ns*/*.mkeys*
+rm -f nextpart.out.*
+rm -f */named.run.prev

bin/tests/system/nsupdate/ns6/named.conf.in

@@ -34,5 +34,5 @@ controls {
 zone "in-addr.arpa" {
 	type master;
 	file "in-addr.db";
-	update-policy {	grant * tcp-self . PTR; };
+	update-policy {	grant * tcp-self . PTR(1) ANY(2) A; };
 };

bin/tests/system/nsupdate/tests.sh

@@ -1031,6 +1031,65 @@ grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
 grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=`expr $n + 1`
+ret=0
+echo_i "check that max records is enforced ($n)"
+nextpart ns6/named.run > /dev/null
+$NSUPDATE -v > nsupdate.out.$n 2>&1 << END
+server 10.53.0.6 ${PORT}
+local 10.53.0.5
+update del 5.0.53.10.in-addr.arpa.
+update add 5.0.53.10.in-addr.arpa. 600 PTR localhost.
+update add 5.0.53.10.in-addr.arpa. 600 PTR other.
+send
+END
+$DIG $DIGOPTS @10.53.0.6 \
+        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+        -x 10.53.0.5 > dig.out.ns6.$n
+# the policy is 'grant * tcp-self . PTR(1) ANY(2) A;' so only the
+# first PTR record should be added.
+grep localhost. dig.out.ns6.$n > /dev/null 2>&1 || ret=1
+grep other. dig.out.ns6.$n > /dev/null 2>&1 && ret=1
+nextpart ns6/named.run > nextpart.out.$n
+grep "attempt to add more records than permitted by policy" nextpart.out.$n > /dev/null || ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "check that max records for ANY is enforced ($n)"
+nextpart ns6/named.run > /dev/null
+$NSUPDATE -v > nsupdate.out.$n 2>&1 << END
+server 10.53.0.6 ${PORT}
+local 10.53.0.5
+update del 5.0.53.10.in-addr.arpa.
+update add 5.0.53.10.in-addr.arpa. 600 A 1.2.3.4
+update add 5.0.53.10.in-addr.arpa. 600 A 1.2.3.3
+update add 5.0.53.10.in-addr.arpa. 600 A 1.2.3.2
+update add 5.0.53.10.in-addr.arpa. 600 AAAA ::ffff:1.2.3.4
+update add 5.0.53.10.in-addr.arpa. 600 AAAA ::ffff:1.2.3.3
+update add 5.0.53.10.in-addr.arpa. 600 AAAA ::ffff:1.2.3.2
+send
+END
+$DIG $DIGOPTS @10.53.0.6 \
+        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+        ANY -x 10.53.0.5 > dig.out.ns6.test$n
+nextpart ns6/named.run > nextpart.out.test$n
+grep "attempt to add more records than permitted by policy" nextpart.out.test$n > /dev/null || ret=1
+# the policy is 'grant * tcp-self . PTR(1) ANY(2) A;' so all the A
+# records should have been added as there is no limit and the first 2
+# of the AAAA records added as they match ANY(2).
+c1=$(awk '$4 == "A" { print }' dig.out.ns6.test$n | wc -l)
+c2=$(awk '$4 == "AAAA" { print }' dig.out.ns6.test$n | wc -l)
+test "$c1" -eq 3 -a "$c2" -eq 2 || ret=1
+grep "::ffff:1.2.3.2" dig.out.ns6.test$n && ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
 if $FEATURETEST --gssapi ; then
   n=`expr $n + 1`
   ret=0