upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 11:09:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'tkrizek/split-up-dnsrps-test-cases' into 'main'

Browse source 
Split up the dnsrps and native variants of rpz system tests

See merge request isc-projects/bind9!8420
This commit is contained in:
Tom Krizek 2024-01-18 15:09:06 +00:00
commit 19ccf59eeb
9 changed files with 950 additions and 1163 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

89
bin/tests/system/ckdnsrps.sh
View file

@ -1,89 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
# Say on stdout whether to test DNSRPS
# and creates dnsrps.conf
# Note that dnsrps.conf is included in named.conf
# and differs from dnsrpz.conf which is used by dnsrpzd.
. ../conf.sh
DNSRPS_CMD=../rpz/dnsrps
AS_NS=
TEST_DNSRPS=
MCONF=dnsrps.conf
USAGE="$0: [-xAD] [-M dnsrps.conf]"
while getopts "xADM:S:" c; do
case $c in
x)
set -x
DEBUG=-x
;;
A) AS_NS=yes ;;
D) TEST_DNSRPS=yes ;;
M) MCONF="$OPTARG" ;;
*)
echo "$USAGE" 1>&2
exit 1
;;
esac
done
shift $(expr $OPTIND - 1 || true)
if [ "$#" -ne 0 ]; then
echo "$USAGE" 1>&2
exit 1
fi
# erase any existing conf files
cat /dev/null >$MCONF
add_conf() {
echo "$*" >>$MCONF
}
if ! $FEATURETEST --enable-dnsrps; then
if [ -n "$TEST_DNSRPS" ]; then
add_conf "## DNSRPS disabled at compile time"
fi
add_conf "#skip"
exit 0
fi
if [ -z "$TEST_DNSRPS" ]; then
add_conf "## testing with native RPZ"
add_conf '#skip'
exit 0
else
add_conf "## testing with DNSRPS"
fi
if [ ! -x "$DNSRPS_CMD" ]; then
add_conf "## make $DNSRPS_CMD to test DNSRPS"
add_conf '#skip'
exit 0
fi
if $DNSRPS_CMD -a >/dev/null; then
:
else
add_conf "## DNSRPS provider library is not available"
add_conf '#skip'
exit 0
fi
add_conf 'dnsrps-options { log-level 3 };'
add_conf 'dnsrps-enable yes;'
add_conf 'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";'

18
bin/tests/system/isctest/mark.py
View file

@ -12,6 +12,7 @@
# information regarding copyright ownership.
import os
from pathlib import Path
import subprocess
import pytest
@ -33,6 +34,19 @@ def feature_test(feature):
return True
DNSRPS_BIN = Path(os.environ["TOP_BUILDDIR"]) / "bin/tests/system/rpz/dnsrps"
def is_dnsrps_available():
if not feature_test("--enable-dnsrps"):
return False
try:
subprocess.run([DNSRPS_BIN, "-a"], check=True)
except subprocess.CalledProcessError:
return False
return True
have_libxml2 = pytest.mark.skipif(
not feature_test("--have-libxml2"), reason="libxml2 support disabled in the build"
)
@ -41,6 +55,10 @@ have_json_c = pytest.mark.skipif(
not feature_test("--have-json-c"), reason="json-c support disabled in the build"
)
dnsrps_enabled = pytest.mark.skipif(
not is_dnsrps_available(), reason="dnsrps disabled in the build"
)
try:
import flaky as flaky_pkg # type: ignore

45
bin/tests/system/rpz/clean.sh
View file

@ -11,29 +11,6 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# Clean up after rpz tests.
USAGE="$0: [-Px]"
DEBUG=
while getopts "Px" c; do
case $c in
x) set -x ;;
P) PARTIAL=set ;;
*)
echo "$USAGE" 1>&2
exit 1
;;
esac
done
shift $((OPTIND - 1))
if test "$#" -ne 0; then
echo "$USAGE" 1>&2
exit 1
fi
# this might be called from setup.sh to partially clean up the files
# from the first test pass so the second pass can be set up correctly.
# remove those files first, then decide whether to remove the others.
rm -f ns*/*.key ns*/*.private
rm -f ns2/tld2s.db */bl.tld2.db */bl.tld2s.db
rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db
@ -44,15 +21,13 @@ rm -f ns8/manual-update-rpz.db
rm -f */policy2.db
rm -f */*.jnl
rm -f dnsrps.cache dnsrps.conf
if [ ${PARTIAL:-unset} = unset ]; then
rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
rm -f ns5/requests ns5/*.perf
rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key
rm -f */*.log */*core */*.pid
rm -f ns*/named.conf
rm -f ns*/*switch
rm -f dnsrps.zones
rm -f ns*/managed-keys.bind*
rm -f tmp
fi
rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
rm -f ns5/requests ns5/*.perf
rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key
rm -f */*.log */*core */*.pid
rm -f ns*/named.lock
rm -f ns*/named.conf
rm -f ns*/*switch
rm -f dnsrps.zones
rm -f ns*/managed-keys.bind*
rm -f tmp

31
bin/tests/system/rpz/setup.sh
View file

@ -19,31 +19,7 @@ set -e
QPERF=$($SHELL qperf.sh)
USAGE="$0: [-DNx]"
DEBUG=
while getopts "DNx" c; do
case $c in
x)
set -x
DEBUG=-x
;;
D) TEST_DNSRPS="-D" ;;
N) PARTIAL=-P ;;
*)
echo "$USAGE" 1>&2
exit 1
;;
esac
done
shift $((OPTIND - 1))
if test "$#" -ne 0; then
echo "$USAGE" 1>&2
exit 1
fi
if [ ${NOCLEAN:-unset} = unset ]; then
$SHELL clean.sh $PARTIAL $DEBUG
fi
$SHELL clean.sh
for dir in ns*; do
touch $dir/named.run
@ -63,10 +39,7 @@ copy_setports ns10/named.conf.in ns10/named.conf
copy_setports dnsrps.zones.in dnsrps.zones
# decide whether to test DNSRPS
# Note that dnsrps.conf is included in named.conf
$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
test -z "$(grep 'testing with DNSRPS' dnsrps.conf)" && TEST_DNSRPS=
touch dnsrps.conf
touch dnsrps.cache
# set up test policy zones.

996
bin/tests/system/rpz/tests.sh
View file

File diff suppressed because it is too large Load diff

26
bin/tests/system/rpz/tests_sh_rpz_dnsrps.py Normal file
View file

@ -0,0 +1,26 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
import isctest.mark
pytestmark = isctest.mark.dnsrps_enabled
def test_rpz_dnsrps(run_tests_sh):
with open("dnsrps.conf", "w", encoding="utf-8") as conf:
conf.writelines(
[
"dnsrps-options { log-level 3 };"
"dnsrps-enable yes;"
'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";'
]
)
run_tests_sh()

28
bin/tests/system/rpzrecurse/setup.sh
View file

@ -17,29 +17,7 @@ set -e
. ../conf.sh
USAGE="$0: [-DNx]"
DEBUG=
while getopts "DNx" c; do
case $c in
x)
set -x
DEBUG=-x
;;
D) TEST_DNSRPS="-D" ;;
N) NOCLEAN=set ;;
*)
echo "$USAGE" 1>&2
exit 1
;;
esac
done
shift $((OPTIND - 1))
if test "$#" -ne 0; then
echo "$USAGE" 1>&2
exit 1
fi
[ ${NOCLEAN:-unset} = unset ] && $SHELL clean.sh $DEBUG
$SHELL clean.sh
$PERL testgen.pl
@ -52,9 +30,7 @@ copy_setports ns3/named1.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
# decide whether to test DNSRPS
$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS=
touch dnsrps.conf
touch dnsrps.cache
# setup policy zones for a 64-zone test

854
bin/tests/system/rpzrecurse/tests.sh
View file

@ -23,17 +23,16 @@ status=0
t=0
export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache
DEBUG=
ARGS=
if grep 'dnsrps-enable yes;' dnsrps.conf >/dev/null; then
MODE=dnsrps
else
MODE=native
fi
USAGE="$0: [-xS]"
while getopts "xS:" c; do
USAGE="$0: [-S]"
while getopts "S:" c; do
case $c in
x)
set -x
DEBUG=-x
ARGS="$ARGS -x"
;;
S)
SAVE_RESULTS=-S
ARGS="$ARGS -S"
@ -136,456 +135,401 @@ add_test_marker() {
done
}
native=0
dnsrps=0
for mode in native dnsrps; do
status=0
case $mode in
native)
if [ -e dnsrps-only ]; then
echo_i "'dnsrps-only' found: skipping native RPZ sub-test"
continue
else
echo_i "running native RPZ sub-test"
fi
;;
dnsrps)
if [ -e dnsrps-off ]; then
echo_i "'dnsrps-off' found: skipping DNSRPS sub-test"
continue
fi
echo_i "attempting to configure servers with DNSRPS..."
stop_server --use-rndc --port ${CONTROLPORT}
$SHELL ./setup.sh -N -D $DEBUG
sed -n 's/^## //p' dnsrps.conf | cat_i
if grep '^#fail' dnsrps.conf >/dev/null; then
echo_i "exit status: 1"
exit 1
fi
if grep '^#skip' dnsrps.conf >/dev/null; then
echo_i "DNSRPS sub-test skipped"
continue
else
echo_i "running DNSRPS sub-test"
start_server --noclean --restart --port ${PORT}
sleep 3
fi
;;
esac
t=$((t + 1))
echo_i "testing that l1.l0 exists without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
# show whether and why DNSRPS is enabled or disabled
sed -n 's/^## //p' dnsrps.conf | cat_i
t=$((t + 1))
echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing that l1.l0 exists without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
# Group 1
run_server 1a
expect_norecurse 1a 1
run_server 1b
expect_norecurse 1b 1
expect_recurse 1b 2
run_server 1c
expect_norecurse 1c 1
t=$((t + 1))
echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
# Group 1
run_server 1a
expect_norecurse 1a 1
run_server 1b
expect_norecurse 1b 1
expect_recurse 1b 2
run_server 1c
expect_norecurse 1c 1
# Group 2
run_server 2a
for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
21 22 23 24 25 26 27 28 29 30 31 32; do
expect_norecurse 2a $n
done
expect_recurse 2a 33
# Group 3
run_server 3a
expect_recurse 3a 1
run_server 3b
expect_recurse 3b 1
run_server 3c
expect_recurse 3c 1
run_server 3d
expect_norecurse 3d 1
expect_recurse 3d 2
run_server 3e
expect_norecurse 3e 1
expect_recurse 3e 2
run_server 3f
expect_norecurse 3f 1
expect_recurse 3f 2
# Group 4
testlist="aa ap bf"
values="1 16 32"
# Uncomment the following to test every skip value instead of
# only a sample of values
#
#testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \
# aq ar as at au av aw ax ay az ba bb bc bd be bf"
#values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
# 21 22 23 24 25 26 27 28 29 30 31 32"
set -- $values
for n in $testlist; do
run_server 4$n
ni=$1
t=$((t + 1))
echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
add_test_marker 10.53.0.2
c=0
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do
run_query 4$n $i || c=$((c + 1))
done
skipped=$((33 - c))
if [ $skipped != $ni ]; then
echo_i "test $t failed (actual=$skipped, expected=$ni)"
status=1
fi
shift
done
# Group 5
run_server 5a
expect_norecurse 5a 1
expect_norecurse 5a 2
expect_recurse 5a 3
expect_recurse 5a 4
expect_recurse 5a 5
expect_recurse 5a 6
# Group 6
echo_i "check recursive behavior consistency during policy update races"
run_server 6a
sleep 1
t=$((t + 1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
sleep 1
echo_i "suspending authority server"
PID=$(cat ns1/named.pid)
kill -STOP $PID
echo_i "adding an NSDNAME policy"
cp ns2/db.6a.00.policy.local ns2/saved.policy.local
cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
t=$((t + 1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
sleep 1
echo_i "removing the NSDNAME policy"
cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
echo_i "resuming authority server"
PID=$(cat ns1/named.pid)
kill -CONT $PID
add_test_marker 10.53.0.1
for n in 1 2 3 4 5 6 7 8 9; do
sleep 1
[ -s dig.out.${t} ] || continue
grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
done
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
echo_i "check recursive behavior consistency during policy removal races"
cp ns2/saved.policy.local ns2/db.6a.00.policy.local
run_server 6a
sleep 1
t=$((t + 1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
sleep 1
echo_i "suspending authority server"
PID=$(cat ns1/named.pid)
kill -STOP $PID
echo_i "adding an NSDNAME policy"
cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
t=$((t + 1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
sleep 1
echo_i "removing the policy zone"
cp ns2/named.default.conf ns2/named.conf
rndc_reconfig ns2 10.53.0.2
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
echo_i "resuming authority server"
PID=$(cat ns1/named.pid)
kill -CONT $PID
add_test_marker 10.53.0.1
for n in 1 2 3 4 5 6 7 8 9; do
sleep 1
[ -s dig.out.${t} ] || continue
grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
done
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
# Check maximum number of RPZ zones (64)
t=$((t + 1))
echo_i "testing maximum number of RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server max
i=1
while test $i -le 64; do
$DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i}
grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer from policy zone $i"
status=1
}
i=$((i + 1))
done
# Check CLIENT-IP behavior
t=$((t + 1))
echo_i "testing CLIENT-IP behavior (${t})"
add_test_marker 10.53.0.2
run_server clientip
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer"
status=1
}
# Check CLIENT-IP behavior #2
t=$((t + 1))
echo_i "testing CLIENT-IP behavior #2 (${t})"
add_test_marker 10.53.0.2
run_server clientip2
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1
grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3
grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4
grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
# Check RPZ log clause
t=$((t + 1))
echo_i "testing RPZ log clause (${t})"
add_test_marker 10.53.0.2
run_server log
cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run)
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" >/dev/null && {
echo_ic "failed: unexpected rewrite message for policy zone log1 was logged"
status=1
}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" >/dev/null || {
echo_ic "failed: expected rewrite message for policy zone log2 was not logged"
status=1
}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" >/dev/null || {
echo_ic "failed: expected rewrite message for policy zone log3 was not logged"
status=1
}
# Check wildcard behavior
t=$((t + 1))
echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
add_test_marker 10.53.0.2
run_server wildcard1
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server wildcard2
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
add_test_marker 10.53.0.2
run_server wildcard3
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard passthru before explicit drop (${t})"
add_test_marker 10.53.0.2
run_server wildcard4
$DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NOERROR" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
if [ "$mode" = "native" ]; then
# Check for invalid prefix length error
t=$((t + 1))
echo_i "testing for invalid prefix length error (${t})"
add_test_marker 10.53.0.2
run_server invalidprefixlength
grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || {
echo_ic "failed: expected that invalid prefix length error would be logged"
status=1
}
fi
if [ "$mode" = "native" ]; then
t=$((t + 1))
echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsip-wait-recurse yes' (default)"
produce_librpz_rules ns3 policy policy
ret=0
t1=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
t2=$($PERL -e 'print time()."\n";')
p1=$((t2 - t1))
echo_i "elapsed time $p1 seconds"
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named2.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
echo_i "timing 'nsip-wait-recurse no'"
echo "update zone policy 0 no_nsip_wait_recurse" >$DNSRPS_TEST_UPDATE_FILE
t3=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
t4=$($PERL -e 'print time()."\n";')
p2=$((t4 - t3))
echo_i "elapsed time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=$((status + ret))
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
# restore original named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
t=$((t + 1))
echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsdname-wait-recurse yes' (default)"
ret=0
t1=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
t2=$($PERL -e 'print time()."\n";')
p1=$((t2 - t1))
echo_i "elapsed time $p1 seconds"
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named3.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
echo_i "timing 'nsdname-wait-recurse no'"
t3=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
t4=$($PERL -e 'print time()."\n";')
p2=$((t4 - t3))
echo_i "elapsed time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=$((status + ret))
fi
[ $status -ne 0 ] && pf=fail || pf=pass
case $mode in
native)
native=$status
echo_i "status (native RPZ sub-test): $status ($pf)"
;;
dnsrps)
dnsrps=$status
echo_i "status (DNSRPS sub-test): $status ($pf)"
;;
*) echo_i "invalid test mode" ;;
esac
# Group 2
run_server 2a
for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
21 22 23 24 25 26 27 28 29 30 31 32; do
expect_norecurse 2a $n
done
status=$((native + dnsrps))
expect_recurse 2a 33
# Group 3
run_server 3a
expect_recurse 3a 1
run_server 3b
expect_recurse 3b 1
run_server 3c
expect_recurse 3c 1
run_server 3d
expect_norecurse 3d 1
expect_recurse 3d 2
run_server 3e
expect_norecurse 3e 1
expect_recurse 3e 2
run_server 3f
expect_norecurse 3f 1
expect_recurse 3f 2
# Group 4
testlist="aa ap bf"
values="1 16 32"
# Uncomment the following to test every skip value instead of
# only a sample of values
#
#testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \
# aq ar as at au av aw ax ay az ba bb bc bd be bf"
#values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
# 21 22 23 24 25 26 27 28 29 30 31 32"
set -- $values
for n in $testlist; do
run_server 4$n
ni=$1
t=$((t + 1))
echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
add_test_marker 10.53.0.2
c=0
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do
run_query 4$n $i || c=$((c + 1))
done
skipped=$((33 - c))
if [ $skipped != $ni ]; then
echo_i "test $t failed (actual=$skipped, expected=$ni)"
status=1
fi
shift
done
# Group 5
run_server 5a
expect_norecurse 5a 1
expect_norecurse 5a 2
expect_recurse 5a 3
expect_recurse 5a 4
expect_recurse 5a 5
expect_recurse 5a 6
# Group 6
echo_i "check recursive behavior consistency during policy update races"
run_server 6a
sleep 1
t=$((t + 1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
sleep 1
echo_i "suspending authority server"
PID=$(cat ns1/named.pid)
kill -STOP $PID
echo_i "adding an NSDNAME policy"
cp ns2/db.6a.00.policy.local ns2/saved.policy.local
cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
t=$((t + 1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
sleep 1
echo_i "removing the NSDNAME policy"
cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
echo_i "resuming authority server"
PID=$(cat ns1/named.pid)
kill -CONT $PID
add_test_marker 10.53.0.1
for n in 1 2 3 4 5 6 7 8 9; do
sleep 1
[ -s dig.out.${t} ] || continue
grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
done
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
echo_i "check recursive behavior consistency during policy removal races"
cp ns2/saved.policy.local ns2/db.6a.00.policy.local
run_server 6a
sleep 1
t=$((t + 1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
sleep 1
echo_i "suspending authority server"
PID=$(cat ns1/named.pid)
kill -STOP $PID
echo_i "adding an NSDNAME policy"
cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
t=$((t + 1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
sleep 1
echo_i "removing the policy zone"
cp ns2/named.default.conf ns2/named.conf
rndc_reconfig ns2 10.53.0.2
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
echo_i "resuming authority server"
PID=$(cat ns1/named.pid)
kill -CONT $PID
add_test_marker 10.53.0.1
for n in 1 2 3 4 5 6 7 8 9; do
sleep 1
[ -s dig.out.${t} ] || continue
grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
done
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
# Check maximum number of RPZ zones (64)
t=$((t + 1))
echo_i "testing maximum number of RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server max
i=1
while test $i -le 64; do
$DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i}
grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer from policy zone $i"
status=1
}
i=$((i + 1))
done
# Check CLIENT-IP behavior
t=$((t + 1))
echo_i "testing CLIENT-IP behavior (${t})"
add_test_marker 10.53.0.2
run_server clientip
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer"
status=1
}
# Check CLIENT-IP behavior #2
t=$((t + 1))
echo_i "testing CLIENT-IP behavior #2 (${t})"
add_test_marker 10.53.0.2
run_server clientip2
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1
grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3
grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4
grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
# Check RPZ log clause
t=$((t + 1))
echo_i "testing RPZ log clause (${t})"
add_test_marker 10.53.0.2
run_server log
cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run)
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" >/dev/null && {
echo_ic "failed: unexpected rewrite message for policy zone log1 was logged"
status=1
}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" >/dev/null || {
echo_ic "failed: expected rewrite message for policy zone log2 was not logged"
status=1
}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" >/dev/null || {
echo_ic "failed: expected rewrite message for policy zone log3 was not logged"
status=1
}
# Check wildcard behavior
t=$((t + 1))
echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
add_test_marker 10.53.0.2
run_server wildcard1
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server wildcard2
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
add_test_marker 10.53.0.2
run_server wildcard3
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard passthru before explicit drop (${t})"
add_test_marker 10.53.0.2
run_server wildcard4
$DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NOERROR" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
if [ "$MODE" = "native" ]; then
# Check for invalid prefix length error
t=$((t + 1))
echo_i "testing for invalid prefix length error (${t})"
add_test_marker 10.53.0.2
run_server invalidprefixlength
grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || {
echo_ic "failed: expected that invalid prefix length error would be logged"
status=1
}
fi
if [ "$MODE" = "native" ]; then
t=$((t + 1))
echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsip-wait-recurse yes' (default)"
produce_librpz_rules ns3 policy policy
ret=0
t1=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
t2=$($PERL -e 'print time()."\n";')
p1=$((t2 - t1))
echo_i "elapsed time $p1 seconds"
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named2.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
echo_i "timing 'nsip-wait-recurse no'"
echo "update zone policy 0 no_nsip_wait_recurse" >$DNSRPS_TEST_UPDATE_FILE
t3=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
t4=$($PERL -e 'print time()."\n";')
p2=$((t4 - t3))
echo_i "elapsed time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=$((status + ret))
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
# restore original named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
t=$((t + 1))
echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsdname-wait-recurse yes' (default)"
ret=0
t1=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
t2=$($PERL -e 'print time()."\n";')
p1=$((t2 - t1))
echo_i "elapsed time $p1 seconds"
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named3.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
echo_i "timing 'nsdname-wait-recurse no'"
t3=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
t4=$($PERL -e 'print time()."\n";')
p2=$((t4 - t3))
echo_i "elapsed time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=$((status + ret))
fi
[ $status -eq 0 ] || exit 1

26
bin/tests/system/rpzrecurse/tests_sh_rpzrecurse_dnsrps.py Normal file
View file

@ -0,0 +1,26 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
import isctest.mark
pytestmark = isctest.mark.dnsrps_enabled
def test_rpzrecurse_dnsrps(run_tests_sh):
with open("dnsrps.conf", "w", encoding="utf-8") as conf:
conf.writelines(
[
"dnsrps-options { log-level 3 };"
"dnsrps-enable yes;"
'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";'
]
)
run_tests_sh()