diff --git a/bin/tests/system/checkconf/bad-rpz-ede.conf b/bin/tests/system/checkconf/bad-rpz-ede.conf new file mode 100644 index 0000000000..8d78f8df47 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rpz-ede.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type primary; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." ede unsupported; + }; +}; diff --git a/bin/tests/system/checkconf/good-rpz-ede-none.conf b/bin/tests/system/checkconf/good-rpz-ede-none.conf new file mode 100644 index 0000000000..c0ffab91e2 --- /dev/null +++ b/bin/tests/system/checkconf/good-rpz-ede-none.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type primary; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." ede none; + }; +}; diff --git a/bin/tests/system/checkconf/good-rpz-ede.conf b/bin/tests/system/checkconf/good-rpz-ede.conf new file mode 100644 index 0000000000..616f9ee63e --- /dev/null +++ b/bin/tests/system/checkconf/good-rpz-ede.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type primary; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." ede filtered; + }; +}; diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in index aafe7f20f4..b0f6804bd2 100644 --- a/bin/tests/system/rpz/ns3/named.conf.in +++ b/bin/tests/system/rpz/ns3/named.conf.in @@ -48,7 +48,7 @@ options { zone "bl-drop" policy drop; zone "bl-tcp-only" policy tcp-only; zone "bl.tld2"; - zone "manual-update-rpz"; + zone "manual-update-rpz" ede forged; zone "mixed-case-rpz"; } add-soa yes diff --git a/bin/tests/system/rpz/ns7/named.conf.in b/bin/tests/system/rpz/ns7/named.conf.in index 7effd3db41..40c385c32d 100644 --- a/bin/tests/system/rpz/ns7/named.conf.in +++ b/bin/tests/system/rpz/ns7/named.conf.in @@ -26,7 +26,7 @@ options { dnssec-validation yes; response-policy { - zone "policy2" add-soa no; + zone "policy2" add-soa no ede none; } qname-wait-recurse no nsip-enable yes nsdname-enable yes diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 9975b686cf..194527c1a8 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -848,6 +848,11 @@ EOF $PERL ../stop.pl --use-rndc --port ${CONTROLPORT} rpz ns3 restart 3 "rebuild-bl-rpz" + t=`expr $t + 1` + echo_i "checking the configured extended DNS error code (EDE) (${t})" + $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t + grep -F "EDE: 4 (Forged Answer)" dig.out.$t > /dev/null || setret "failed" + # reload a RPZ zone that is now deliberately broken. t=`expr $t + 1` echo_i "checking rpz failed update will keep previous rpz rules (${t})" @@ -860,6 +865,11 @@ EOF $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.after grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after > /dev/null || setret "failed" + t=`expr $t + 1` + echo_i "checking the default (unset) extended DNS error code (EDE) (${t})" + $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t + grep -F "EDE: " dig.out.$t > /dev/null && setret "failed" + t=`expr $t + 1` echo_i "checking reload of a mixed-case RPZ zone (${t})" # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should @@ -907,20 +917,25 @@ EOF grep NXDOMAIN dig.out.${t} > /dev/null || setret "failed" t=`expr $t + 1` - echo_i "checking that "add-soa no" at rpz zone level works (${t})" + echo_i "checking that 'ede none' works same way as when \"ede\" is unset (${t})" + $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} + grep -F "EDE: " dig.out.${t} > /dev/null && setret "failed" + + t=`expr $t + 1` + echo_i "checking that 'add-soa no' at rpz zone level works (${t})" $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} grep SOA dig.out.${t} > /dev/null && setret "failed" if [ native = "$mode" ]; then t=`expr $t + 1` - echo_i "checking that "add-soa yes" at response-policy level works (${t})" + echo_i "checking that 'add-soa yes' at response-policy level works (${t})" $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t} grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed" fi if [ native = "$mode" ]; then t=`expr $t + 1` - echo_i "checking that "add-soa unset" works (${t})" + echo_i "checking that 'add-soa unset' works (${t})" $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 > dig.out.${t} grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed" fi