upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Test that RPZ "passthru" doesn't alter the answer's TTL with ANY queries

Browse source 
Expand the test_rpz_passthru_logging() check in the "rpzextra" system
test to check the answer's TTL values with ANY type queries.

(cherry picked from commit 98ff3a4432)
This commit is contained in:
Aram Sargsyan 2025-02-26 13:37:57 +00:00 committed by Arаm Sаrgsyаn
parent 2d48cb33e3
commit 533d8c099d
1 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
bin/tests/system/rpzextra/tests_rpzextra.py
View file

@ -102,6 +102,23 @@ def test_rpz_passthru_logging():
dns.rrset.from_text("allowed.", 300, "IN", "A", "10.53.0.2")
]
# Should also generate a log entry into rpz_passthru.txt
msg_allowed_any = dns.message.make_query("allowed.", "ANY")
res_allowed_any = isctest.query.udp(
msg_allowed_any,
resolver_ip,
source="10.53.0.1",
expected_rcode=dns.rcode.NOERROR,
)
assert res_allowed_any.answer == [
dns.rrset.from_text("allowed.", 300, "IN", "NS", "ns1.allowed."),
dns.rrset.from_text("allowed.", 300, "IN", "A", "10.53.0.2"),
]
# The comparison above doesn't compare the TTL values, and we want to
# make sure that the "passthru" rpz doesn't cap the TTL with max-policy-ttl.
assert res_allowed_any.answer[0].ttl > 200
assert res_allowed_any.answer[1].ttl > 200
# baddomain.com isn't allowed (CNAME .), should return NXDOMAIN
# Should generate a log entry into rpz.txt
msg_not_allowed = dns.message.make_query("baddomain.", "A")