Add system tests for RPZ EDE codes

Check the new configuration option's syntax using the 'checkconf' system test. Check if the new option works by parsing DiG's output in the 'rpz' system test.
2026-05-28 04:34:54 -04:00 · 2022-08-26 14:18:28 +00:00 · 2022-08-26 14:18:28 +00:00 · 5e4e303ffa
commit 5e4e303ffa
parent 83395f4cfb
6 changed files with 89 additions and 5 deletions
--- a/bin/tests/system/checkconf/bad-rpz-ede.conf
+++ b/bin/tests/system/checkconf/bad-rpz-ede.conf
@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type primary;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com." ede unsupported;
+	};
+};
--- a/bin/tests/system/checkconf/good-rpz-ede-none.conf
+++ b/bin/tests/system/checkconf/good-rpz-ede-none.conf
@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type primary;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com." ede none;
+	};
+};
--- a/bin/tests/system/checkconf/good-rpz-ede.conf
+++ b/bin/tests/system/checkconf/good-rpz-ede.conf
@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type primary;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com." ede filtered;
+	};
+};
--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@ -48,7 +48,7 @@ options {
 	    zone "bl-drop"	policy drop;
 	    zone "bl-tcp-only"	policy tcp-only;
 	    zone "bl.tld2";
-	    zone "manual-update-rpz";
+	    zone "manual-update-rpz"	ede forged;
 	    zone "mixed-case-rpz";
 	}
 	add-soa yes
--- a/bin/tests/system/rpz/ns7/named.conf.in
+++ b/bin/tests/system/rpz/ns7/named.conf.in
@ -26,7 +26,7 @@ options {
 	dnssec-validation yes;

 	response-policy {
-	    zone "policy2" add-soa no;
+	    zone "policy2" add-soa no ede none;
 	} qname-wait-recurse no
 	nsip-enable yes
 	nsdname-enable yes
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@ -848,6 +848,11 @@ EOF
    $PERL ../stop.pl --use-rndc --port ${CONTROLPORT} rpz ns3
    restart 3 "rebuild-bl-rpz"

+    t=`expr $t + 1`
+    echo_i "checking the configured extended DNS error code (EDE) (${t})"
+    $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t
+    grep -F "EDE: 4 (Forged Answer)" dig.out.$t > /dev/null || setret "failed"
+
    # reload a RPZ zone that is now deliberately broken.
    t=`expr $t + 1`
    echo_i "checking rpz failed update will keep previous rpz rules (${t})"
@ -860,6 +865,11 @@ EOF
    $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.after
    grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after > /dev/null || setret "failed"

+    t=`expr $t + 1`
+    echo_i "checking the default (unset) extended DNS error code (EDE) (${t})"
+    $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t
+    grep -F "EDE: " dig.out.$t > /dev/null && setret "failed"
+
    t=`expr $t + 1`
    echo_i "checking reload of a mixed-case RPZ zone (${t})"
    # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should
@ -907,20 +917,25 @@ EOF
  grep NXDOMAIN dig.out.${t} > /dev/null || setret "failed"

  t=`expr $t + 1`
-  echo_i "checking that "add-soa no" at rpz zone level works (${t})"
+  echo_i "checking that 'ede none' works same way as when \"ede\" is unset (${t})"
+  $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t}
+  grep -F "EDE: " dig.out.${t} > /dev/null && setret "failed"
+
+  t=`expr $t + 1`
+  echo_i "checking that 'add-soa no' at rpz zone level works (${t})"
  $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t}
  grep SOA dig.out.${t} > /dev/null && setret "failed"

  if [ native = "$mode" ]; then
    t=`expr $t + 1`
-    echo_i "checking that "add-soa yes" at response-policy level works (${t})"
+    echo_i "checking that 'add-soa yes' at response-policy level works (${t})"
    $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t}
    grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed"
  fi

  if [ native = "$mode" ]; then
    t=`expr $t + 1`
-    echo_i "checking that "add-soa unset" works (${t})"
+    echo_i "checking that 'add-soa unset' works (${t})"
    $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 > dig.out.${t}
    grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed"
  fi