Add a new check in the RPZ system test

Check that reloading a response policy zone which has an '$INCLUDE' directive defined is working as expected. (cherry picked from commit d81a2457d6)
2026-05-28 04:34:54 -04:00 · 2026-01-26 14:28:10 +00:00 · 2026-01-26 14:28:10 +00:00 · 074a152c4f
commit 074a152c4f
parent 0ae305c952
9 changed files with 71 additions and 0 deletions
--- a/bin/tests/system/rpz/ns2/tld2.db
+++ b/bin/tests/system/rpz/ns2/tld2.db
@ -123,3 +123,6 @@ a7-1		A	192.168.7.1

 a7-2		A	192.168.7.2
 		TXT	"a7-2 tld2 text"
+
+a8-1		A	192.168.8.1
+		TXT	"a8-1 tld2 text"
--- a/bin/tests/system/rpz/ns3/include-rpz.db.in
+++ b/bin/tests/system/rpz/ns3/include-rpz.db.in
@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+$INCLUDE include-rpz.inc
--- a/bin/tests/system/rpz/ns3/include-rpz.inc-1.in
+++ b/bin/tests/system/rpz/ns3/include-rpz.inc-1.in
@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	include-rpz.  hostmaster.ns.include-rpz. ( 1 3600 1200 604800 60 )
+	NS	ns.tld3.
--- a/bin/tests/system/rpz/ns3/include-rpz.inc-2.in
+++ b/bin/tests/system/rpz/ns3/include-rpz.inc-2.in
@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	include-rpz.  hostmaster.ns.include-rpz. ( 2 3600 1200 604800 60 )
+	NS	ns.tld3.
+
+a8-1.tld2	CNAME	.
--- a/bin/tests/system/rpz/ns3/named.conf.j2
+++ b/bin/tests/system/rpz/ns3/named.conf.j2
@ -53,6 +53,7 @@ options {
 	    zone "bl.tld2";
 	    zone "manual-update-rpz"	ede forged;
 	    zone "mixed-case-rpz";
+	    zone "include-rpz";
 	    zone "evil-cname"  policy cname a12.tld2. ede blocked;
 	    zone "wild-cname"  ede blocked;
 	    zone "slow-rpz";
@ -130,6 +131,12 @@ zone "mixed-case-rpz." {
 	notify no;
 };

+zone "include-rpz." {
+	type primary;
+	file "include-rpz.db";
+	notify no;
+};
+
 zone "slow-rpz." {
    type primary;
    file "slow-rpz.db";
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@ -43,6 +43,9 @@ cp ns3/wild-cname.db.in ns3/wild-cname.db

 cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db

+cp ns3/include-rpz.db.in ns3/include-rpz.db
+cp ns3/include-rpz.inc-1.in ns3/include-rpz.inc
+
 # a "big" zone (tested with '-T rpzslow' enabled to slow down loading)
 cp ns3/slow-rpz.db.in ns3/slow-rpz.db

--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@ -795,6 +795,16 @@ if [ native = "$MODE" ]; then
  $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after || setret "failed"
  grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed"

+  t=$((t + 1))
+  echo_i "checking rpz with included rules can reload (${t})"
+  $DIG -p ${PORT} @$ns3 a8-1.tld2 >dig.out.$t.before || setret "failed"
+  grep "status: NOERROR" dig.out.$t.before >/dev/null || setret "failed"
+  cp ns3/include-rpz.inc-2.in ns3/include-rpz.inc
+  rndc_reload ns3 $ns3 include-rpz
+  sleep 1
+  $DIG -p ${PORT} @$ns3 a8-1.tld2 >dig.out.$t.after || setret "failed"
+  grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed"
+
  t=$((t + 1))
  echo_i "checking the default (unset) extended DNS error code (EDE) (${t})"
  $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t || setret "failed"
--- a/bin/tests/system/rpz/tests_sh_rpz.py
+++ b/bin/tests/system/rpz/tests_sh_rpz.py
@ -39,6 +39,8 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/bl.tld2.db",
        "ns3/evil-cname.db",
        "ns3/fast-expire.db",
+        "ns3/include-rpz.db",
+        "ns3/include-rpz.inc",
        "ns3/manual-update-rpz.db",
        "ns3/mixed-case-rpz.db",
        "ns3/named.conf.tmp",
--- a/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py
+++ b/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py
@ -43,6 +43,8 @@ pytestmark = [
            "ns3/bl.tld2.db",
            "ns3/evil-cname.db",
            "ns3/fast-expire.db",
+            "ns3/include-rpz.db",
+            "ns3/include-rpz.inc",
            "ns3/manual-update-rpz.db",
            "ns3/mixed-case-rpz.db",
            "ns3/named.conf.tmp",