new: test: Update filter-aaaa test

Renamed the `filter-aaaa` system test to `filters`, converted it to python, and added test cases to exercise the `filter-a` plugin as well.

Merge branch 'each-test-filter-a' into 'main'

See merge request isc-projects/bind9!10730

.gitlab-ci.yml

@@ -573,7 +573,7 @@ vulture:
   <<: *precheck_job
   needs: []
   script:
-    - vulture --exclude "*ans.py,conftest.py,isctest" --ignore-names "pytestmark,reconfigure_policy" bin/tests/system/
+    - vulture --exclude "*ans.py,conftest.py,isctest" --ignore-names "pytestmark,reconfigure_policy,setup_filters" bin/tests/system/
 
 ci-variables:
   <<: *precheck_job

bin/tests/system/filter-aaaa/ns1/named2.conf.in

@@ -1,45 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
-	query-source address 10.53.0.1;
-	notify-source 10.53.0.1;
-	transfer-source 10.53.0.1;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.1; };
-	listen-on-v6 { fd92:7065:b8e:ffff::1; };
-	recursion no;
-	dnssec-validation no;
-	notify yes;
-	minimal-responses no;
-};
-
-
-plugin query "@TOP_BUILDDIR@/filter-aaaa.@DYLIB@" {
-	filter-aaaa-on-v6 yes;
-	filter-aaaa { fd92:7065:b8e:ffff::1; };
-};
-
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm @DEFAULT_HMAC@;
-};
-
-controls {
-	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-zone "." { type primary; file "root.db"; };
-zone "signed" { type primary; file "signed.db.signed"; };
-zone "unsigned" { type primary; file "unsigned.db"; };

bin/tests/system/filter-aaaa/ns2/named2.conf.in

@@ -1,44 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
-	query-source address 10.53.0.2;
-	notify-source 10.53.0.2;
-	transfer-source 10.53.0.2;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.2; };
-	listen-on-v6 { fd92:7065:b8e:ffff::2; };
-	recursion yes;
-	dnssec-validation yes;
-	notify yes;
-	minimal-responses no;
-};
-
-plugin query "@TOP_BUILDDIR@/filter-aaaa.@DYLIB@" {
-	filter-aaaa-on-v6 yes;
-	filter-aaaa { fd92:7065:b8e:ffff::2; };
-};
-
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm @DEFAULT_HMAC@;
-};
-
-controls {
-	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-zone "." { type hint; file "hints"; };
-
-include "trusted.conf";

bin/tests/system/filter-aaaa/ns3/named1.conf.in

@@ -1,44 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
-	query-source address 10.53.0.3;
-	notify-source 10.53.0.3;
-	transfer-source 10.53.0.3;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.3; };
-	listen-on-v6 { fd92:7065:b8e:ffff::3; };
-	recursion yes;
-	dnssec-validation yes;
-	notify yes;
-	minimal-responses no;
-};
-
-plugin query "@TOP_BUILDDIR@/filter-aaaa.@DYLIB@" {
-	filter-aaaa-on-v4 break-dnssec;
-	filter-aaaa { 10.53.0.3; };
-};
-
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm @DEFAULT_HMAC@;
-};
-
-controls {
-	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-zone "." { type hint; file "hints"; };
-
-include "trusted.conf";

bin/tests/system/filter-aaaa/ns4/named2.conf.in

@@ -1,44 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
-	query-source address 10.53.0.4;
-	notify-source 10.53.0.4;
-	transfer-source 10.53.0.4;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.4; };
-	listen-on-v6 { fd92:7065:b8e:ffff::4; };
-	recursion no;
-	dnssec-validation no;
-	notify yes;
-	minimal-responses no;
-};
-
-plugin query "@TOP_BUILDDIR@/filter-aaaa.@DYLIB@" {
-	filter-aaaa-on-v6 break-dnssec;
-	filter-aaaa { fd92:7065:b8e:ffff::4; };
-};
-
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm @DEFAULT_HMAC@;
-};
-
-controls {
-	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-zone "." { type primary; file "root.db"; };
-zone "signed" { type primary; file "signed.db.signed"; };
-zone "unsigned" { type primary; file "unsigned.db"; };

bin/tests/system/filter-aaaa/setup.sh

@@ -1,35 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh
-
-copy_setports ns1/named1.conf.in ns1/named.conf
-copy_setports ns2/named1.conf.in ns2/named.conf
-copy_setports ns3/named1.conf.in ns3/named.conf
-copy_setports ns4/named1.conf.in ns4/named.conf
-copy_setports ns5/named.conf.in ns5/named.conf
-
-copy_setports conf/good1.conf.in conf/good1.conf
-copy_setports conf/good2.conf.in conf/good2.conf
-copy_setports conf/good3.conf.in conf/good3.conf
-copy_setports conf/good4.conf.in conf/good4.conf
-copy_setports conf/good5.conf.in conf/good5.conf
-
-copy_setports conf/bad1.conf.in conf/bad1.conf
-copy_setports conf/bad2.conf.in conf/bad2.conf
-copy_setports conf/bad3.conf.in conf/bad3.conf
-copy_setports conf/bad4.conf.in conf/bad4.conf
-copy_setports conf/bad5.conf.in conf/bad5.conf
-
-(cd ns1 && $SHELL -e sign.sh)
-(cd ns4 && $SHELL -e sign.sh)

bin/tests/system/filters/common.py

@@ -0,0 +1,231 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import dns
+from dns import rdataclass, rdatatype
+
+import isctest
+
+
+ARTIFACTS = [
+    "conf/*.conf",
+    "ns*/trusted.conf",
+    "ns*/*.signed",
+    "ns*/K*",
+    "ns*/dsset-*",
+    "ns*/signer.err",
+]
+
+
+def reconfigure_servers(ftype, family, servers, templates):
+    for server_id in ["ns1", "ns2", "ns3", "ns4"]:
+        templates.render(
+            f"{server_id}/named.conf", {"family": family, "filtertype": ftype}
+        )
+        servers[server_id].reconfigure(log=False)
+
+
+def check_filtertype_only(dest, source, qname, ftype, expected, adflag):
+    qname = dns.name.from_text(qname)
+
+    msg = isctest.query.create(qname, ftype)
+    res = isctest.query.tcp(msg, dest, source=source)
+    isctest.check.noerror(res)
+
+    if adflag:
+        isctest.check.adflag(res)
+    else:
+        isctest.check.noadflag(res)
+    a_record = res.get_rrset(res.answer, qname, rdataclass.IN, rdatatype.A)
+    aaaa_record = res.get_rrset(res.answer, qname, rdataclass.IN, rdatatype.AAAA)
+    if ftype == "aaaa":
+        assert not a_record
+        if expected:
+            assert (
+                aaaa_record and aaaa_record[0].address == expected
+            ), f"expected AAAA {expected} in ANSWER: {res}"
+    else:
+        assert not aaaa_record
+        if expected:
+            assert (
+                a_record and a_record[0].address == expected
+            ), f"expected A {expected} in ANSWER: {res}"
+
+
+def check_any(dest, source, qname, expected4, expected6, do):
+    qname = dns.name.from_text(qname)
+    msg = isctest.query.create(qname, "any", dnssec=do)
+    res = isctest.query.tcp(msg, dest, source=source)
+    isctest.check.noerror(res)
+    a_record = res.get_rrset(res.answer, qname, rdataclass.IN, rdatatype.A)
+    if expected4:
+        assert (
+            a_record and a_record[0].address == expected4
+        ), f"expected A {expected4} in ANSWER: {res}"
+    else:
+        assert not a_record
+    aaaa_record = res.get_rrset(res.answer, qname, rdataclass.IN, rdatatype.AAAA)
+    if expected6:
+        assert (
+            aaaa_record and aaaa_record[0].address == expected6
+        ), f"expected AAAA {expected6} in ANSWER: {res}"
+    else:
+        assert not aaaa_record
+
+
+def check_nodata(dest, source, qname, qtype, do, adflag):
+    msg = isctest.query.create(qname, qtype, dnssec=do)
+    res = isctest.query.tcp(msg, dest, source=source)
+    isctest.check.noerror(res)
+    isctest.check.empty_answer(res)
+    if adflag:
+        isctest.check.adflag(res)
+    else:
+        isctest.check.noadflag(res)
+
+
+def check_additional(dest, source, qname, qtype, ftype, expected, adcount):
+    msg = isctest.query.create(qname, qtype)
+    res = isctest.query.tcp(msg, dest, source=source)
+    isctest.check.noerror(res)
+    isctest.check.rr_count_eq(res.additional, adcount)
+    t = rdatatype.A if ftype == "a" else rdatatype.AAAA
+    if expected:
+        assert [a for a in res.additional if a.rdtype == t]
+    else:
+        assert not [a for a in res.additional if a.rdtype == t]
+
+
+def prime_cache(addr):
+    isctest.log.debug("prime cache for recursive testing:")
+    # (when testing recursive, we need to prime the cache first with
+    # the MX addresses, since additional section data isn't included
+    # unless it's been validated.)
+    for name in ["mx", "ns"]:
+        for zone in ["signed", "unsigned"]:
+            for qtype in ["a", "aaaa"]:
+                isctest.log.debug(f"{addr}: {name}.{zone}/{qtype}")
+                isctest.query.tcp(isctest.query.create(f"{name}.{zone}", qtype), addr)
+
+
+def check_filter(addr, altaddr, ftype, break_dnssec, recursive):
+    qtype = ftype.upper()
+    isctest.log.debug(
+        f"check that {qtype} is returned when only {qtype} record exists, signed"
+    )
+    expected = "1.0.0.2" if ftype == "a" else "2001:db8::2"
+    check_filtertype_only(
+        addr, addr, f"{ftype}-only.signed", ftype, expected, recursive
+    )
+
+    isctest.log.debug(
+        f"check that {qtype} is returned when only {qtype} record exists, unsigned"
+    )
+    expected = "1.0.0.5" if ftype == "a" else "2001:db8::5"
+    check_filtertype_only(addr, addr, f"{ftype}-only.unsigned", ftype, expected, False)
+
+    isctest.log.debug(
+        "check that NODATA/NOERROR is returned when both AAAA and A exist, signed, DO=0"
+    )
+    check_nodata(addr, addr, "dual.signed", ftype, False, False)
+
+    isctest.log.debug(
+        "check that NODATA/NOERROR is returned when both AAAA and A exist, unsigned, DO=0"
+    )
+    check_nodata(addr, addr, "dual.unsigned", ftype, False, False)
+
+    isctest.log.debug(
+        f"check that {qtype} is returned when both AAAA and A exist, signed, DO=1, unless break-dnssec is enabled"
+    )
+    if break_dnssec:
+        check_nodata(addr, addr, "dual.signed", ftype, False, False)
+    else:
+        expected = "1.0.0.3" if ftype == "a" else "2001:db8::3"
+        check_filtertype_only(addr, addr, "dual.signed", ftype, expected, recursive)
+
+    isctest.log.debug(
+        "check that NODATA/NOERROR is returned when both AAAA and A exist, unsigned, DO=1"
+    )
+    check_nodata(addr, addr, "dual.unsigned", ftype, recursive, False)
+
+    isctest.log.debug(
+        f"check that {qtype} is returned if both AAAA and A exist and the query source doesn't match the ACL"
+    )
+
+    expected = "1.0.0.6" if ftype == "a" else "2001:db8::6"
+    check_filtertype_only(addr, altaddr, "dual.unsigned", ftype, expected, False)
+
+    isctest.log.debug(
+        f"check that A/AAAA (and not {qtype}) is returned if both AAAA and A exist, signed, qtype=ANY, DO=0"
+    )
+    expected4 = "1.0.0.3" if ftype == "aaaa" else None
+    expected6 = "2001:db8::3" if ftype == "a" else None
+    check_any(addr, addr, "dual.signed", expected4, expected6, False)
+
+    isctest.log.debug(
+        "check that both A and AAAA are returned if both AAAA and A exist, signed, qtype=ANY, DO=1, unless break-dnssec is enabled"
+    )
+    if break_dnssec:
+        if ftype == "a":
+            expected4 = None
+        else:
+            expected6 = None
+        check_any(addr, addr, "dual.signed", expected4, expected6, True)
+    else:
+        check_any(addr, addr, "dual.signed", "1.0.0.3", "2001:db8::3", True)
+
+    expected4 = "1.0.0.6" if ftype == "aaaa" else None
+    expected6 = "2001:db8::6" if ftype == "a" else None
+
+    isctest.log.debug(
+        f"check that A/AAAA (and not {qtype}) is returned if both AAAA and A exist, unsigned, qtype=ANY, DO=0"
+    )
+    check_any(addr, addr, "dual.unsigned", expected4, expected6, False)
+
+    isctest.log.debug(
+        f"check that A/AAAA (and not {qtype}) is returned if both AAAA and A exist, unsigned, qtype=ANY, DO=1"
+    )
+    check_any(addr, addr, "dual.unsigned", expected4, expected6, True)
+
+    isctest.log.debug(
+        "check that both A and AAAA are returned if both AAAA and A exist, signed, qtype=ANY, query source does not match ACL"
+    )
+    check_any(addr, altaddr, "dual.unsigned", "1.0.0.6", "2001:db8::6", True)
+
+    isctest.log.debug(
+        f"check that {qtype} is omitted from additional section, qtype=NS, unsigned"
+    )
+    check_additional(addr, addr, "unsigned", "ns", ftype, False, 1)
+
+    isctest.log.debug(
+        f"check that {qtype} is omitted from additional section, qtype=MX, unsigned"
+    )
+    check_additional(addr, addr, "unsigned", "mx", ftype, False, 2)
+
+    isctest.log.debug(
+        f"check that {qtype} is included in additional section, qtype=MX, signed, unless break-dnssec is enabled"
+    )
+    if break_dnssec:
+        check_additional(addr, addr, "signed", "mx", ftype, False, 4)
+    else:
+        check_additional(addr, addr, "signed", "mx", ftype, True, 8)
+
+
+def check_filter_other_family(addr, ftype):
+    isctest.log.debug(
+        "check that the filtered type is returned when both AAAA and A record exists, unsigned, over other family"
+    )
+    check_filtertype_only(addr, addr, "dual.unsigned", ftype, None, False)
+
+    isctest.log.debug(
+        "check that the filtered type is included in additional section, qtype=MX, unsigned, over other family"
+    )
+    check_additional(addr, addr, "unsigned", "mx", ftype, True, 4)

bin/tests/system/filters/ns1/named.conf.j2

@@ -11,6 +11,9 @@
  * information regarding copyright ownership.
  */
 
+{% set filtertype = filtertype | default("aaaa") %}
+{% set family = family | default("v4") %}
+
 options {
 	query-source address 10.53.0.1;
 	notify-source 10.53.0.1;
@@ -25,13 +28,19 @@ options {
 	minimal-responses no;
 };
 
+{% if family == "v6" %}
+        plugin query "@TOP_BUILDDIR@/filter-@filtertype@.@DYLIB@" {
+                filter-@filtertype@-on-v6 yes;
+                filter-@filtertype@ { fd92:7065:b8e:ffff::1; };
+        };
+{% else %}
+        acl filterees { 10.53.0.1; };
 
-acl filterees { 10.53.0.1; };
-
-plugin query "@TOP_BUILDDIR@/filter-aaaa.@DYLIB@" {
-	filter-aaaa-on-v4 yes;
-	filter-aaaa { filterees; };
-};
+        plugin query "@TOP_BUILDDIR@/filter-@filtertype@.@DYLIB@" {
+                filter-@filtertype@-on-v4 yes;
+                filter-@filtertype@ { filterees; };
+        };
+{% endif %}
 
 key rndc_key {
 	secret "1234abcd8765";

bin/tests/system/filters/ns1/signed.db.in

@@ -17,7 +17,7 @@ $TTL	120
 ns		A	10.53.0.1
 		AAAA	fd92:7065:b8e:ffff::1
 
-a-only		NS	1.0.0.1
+a-only		A	1.0.0.2
 aaaa-only	AAAA	2001:db8::2
 dual		A	1.0.0.3
 dual 		AAAA	2001:db8::3

bin/tests/system/filters/ns1/unsigned.db

@@ -17,7 +17,7 @@ $TTL	120
 ns		A	10.53.0.1
 		AAAA	fd92:7065:b8e:ffff::1
 
-a-only		NS	1.0.0.4
+a-only		A	1.0.0.5
 aaaa-only	AAAA	2001:db8::5
 dual		A	1.0.0.6
 dual 		AAAA	2001:db8::6

bin/tests/system/filters/ns2/named.conf.j2

@@ -11,8 +11,12 @@
  * information regarding copyright ownership.
  */
 
+{% set filtertype = filtertype | default("aaaa") %}
+{% set family = family | default("v4") %}
+
 options {
 	query-source address 10.53.0.2;
+	query-source-v6 address fd92:7065:b8e:ffff::2;
 	notify-source 10.53.0.2;
 	transfer-source 10.53.0.2;
 	port @PORT@;
@@ -25,10 +29,17 @@ options {
 	minimal-responses no;
 };
 
-plugin query "@TOP_BUILDDIR@/filter-aaaa.@DYLIB@" {
-	filter-aaaa-on-v4 yes;
-	filter-aaaa { 10.53.0.2; };
-};
+{% if family == "v6" %}
+        plugin query "@TOP_BUILDDIR@/filter-@filtertype@.@DYLIB@" {
+                filter-@filtertype@-on-v6 yes;
+                filter-@filtertype@ { fd92:7065:b8e:ffff::2; };
+        };
+{% else %}
+        plugin query "@TOP_BUILDDIR@/filter-@filtertype@.@DYLIB@" {
+                filter-@filtertype@-on-v4 yes;
+                filter-@filtertype@ { 10.53.0.2; };
+        };
+{% endif %}
 
 key rndc_key {
 	secret "1234abcd8765";

bin/tests/system/filters/ns3/named.conf.j2

@@ -11,8 +11,12 @@
  * information regarding copyright ownership.
  */
 
+{% set filtertype = filtertype | default("aaaa") %}
+{% set family = family | default("v4") %}
+
 options {
 	query-source address 10.53.0.3;
+	query-source-v6 address fd92:7065:b8e:ffff::3;
 	notify-source 10.53.0.3;
 	transfer-source 10.53.0.3;
 	port @PORT@;
@@ -25,10 +29,17 @@ options {
 	minimal-responses no;
 };
 
-plugin query "@TOP_BUILDDIR@/filter-aaaa.@DYLIB@" {
-	filter-aaaa-on-v6 break-dnssec;
-	filter-aaaa { fd92:7065:b8e:ffff::3; };
-};
+{% if family == "v6" %}
+        plugin query "@TOP_BUILDDIR@/filter-@filtertype@.@DYLIB@" {
+                filter-@filtertype@-on-v6 break-dnssec;
+                filter-@filtertype@ { fd92:7065:b8e:ffff::3; };
+        };
+{% else %}
+        plugin query "@TOP_BUILDDIR@/filter-@filtertype@.@DYLIB@" {
+                filter-@filtertype@-on-v4 break-dnssec;
+                filter-@filtertype@ { 10.53.0.3; };
+        };
+{% endif %}
 
 key rndc_key {
 	secret "1234abcd8765";

bin/tests/system/filters/ns4/named.conf.j2

@@ -11,6 +11,9 @@
  * information regarding copyright ownership.
  */
 
+{% set filtertype = filtertype | default("aaaa") %}
+{% set family = family | default("v4") %}
+
 options {
 	query-source address 10.53.0.4;
 	notify-source 10.53.0.4;
@@ -25,10 +28,17 @@ options {
 	minimal-responses no;
 };
 
-plugin query "@TOP_BUILDDIR@/filter-aaaa.@DYLIB@" {
-	filter-aaaa-on-v4 break-dnssec;
-	filter-aaaa { 10.53.0.4; };
-};
+{% if family == "v6" %}
+        plugin query "@TOP_BUILDDIR@/filter-@filtertype@.@DYLIB@" {
+                filter-@filtertype@-on-v6 break-dnssec;
+                filter-@filtertype@ { fd92:7065:b8e:ffff::4; };
+        };
+{% else %}
+        plugin query "@TOP_BUILDDIR@/filter-@filtertype@.@DYLIB@" {
+                filter-@filtertype@-on-v4 break-dnssec;
+                filter-@filtertype@ { 10.53.0.4; };
+        };
+{% endif %}
 
 key rndc_key {
 	secret "1234abcd8765";

bin/tests/system/filters/ns4/signed.db.in

@@ -17,7 +17,7 @@ $TTL	120
 ns		A	10.53.0.4
 		AAAA	fd92:7065:b8e:ffff::4
 
-a-only		NS	1.0.0.1
+a-only		A	1.0.0.2
 aaaa-only	AAAA	2001:db8::2
 dual		A	1.0.0.3
 dual 		AAAA	2001:db8::3

bin/tests/system/filters/ns4/unsigned.db

@@ -17,7 +17,7 @@ $TTL	120
 ns		A	10.53.0.4
 		AAAA	fd92:7065:b8e:ffff::4
 
-a-only		NS	1.0.0.4
+a-only		A	1.0.0.5
 aaaa-only	AAAA	2001:db8::5
 dual		A	1.0.0.6
 dual 		AAAA	2001:db8::6

bin/tests/system/filters/setup.sh

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # SPDX-License-Identifier: MPL-2.0
@@ -9,24 +11,7 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-import pytest
+. ../conf.sh
 
-pytestmark = pytest.mark.extra_artifacts(
-    [
-        "conf/*.conf",
-        "dig.out.*",
-        "ns*/trusted.conf",
-        "ns1/*.signed",
-        "ns1/K*",
-        "ns1/dsset-*",
-        "ns1/signer.err",
-        "ns4/*.signed",
-        "ns4/K*",
-        "ns4/dsset-*",
-        "ns4/signer.err",
-    ]
-)
-
-
-def test_filter_aaaa(run_tests_sh):
-    run_tests_sh()
+(cd ns1 && $SHELL -e sign.sh)
+(cd ns4 && $SHELL -e sign.sh)

bin/tests/system/filters/tests_filter_a_v4.py

@@ -0,0 +1,60 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+import isctest.mark
+
+from filters.common import (
+    ARTIFACTS,
+    check_filter,
+    check_filter_other_family,
+    prime_cache,
+    reconfigure_servers,
+)
+
+
+pytestmark = pytest.mark.extra_artifacts(ARTIFACTS)
+
+
+@pytest.fixture(scope="module", autouse=True)
+def setup_filters(servers, templates):
+    isctest.log.info("configuring server to filter A on V4")
+    reconfigure_servers("a", "v4", servers, templates)
+    prime_cache("10.53.0.2")
+    prime_cache("10.53.0.3")
+
+
+@pytest.mark.parametrize(
+    "addr, altaddr, break_dnssec, recursive",
+    [
+        pytest.param("10.53.0.1", "10.53.0.2", False, False, id="auth"),
+        pytest.param("10.53.0.4", "10.53.0.2", True, False, id="auth-break-dnssec"),
+        pytest.param("10.53.0.2", "10.53.0.1", False, True, id="recurs"),
+        pytest.param("10.53.0.3", "10.53.0.1", True, True, id="recurs-break-dnssec"),
+    ],
+)
+def test_filter_a_on_v4(addr, altaddr, break_dnssec, recursive):
+    check_filter(addr, altaddr, "a", break_dnssec, recursive)
+
+
+@isctest.mark.with_ipv6
+@pytest.mark.parametrize(
+    "addr",
+    [
+        pytest.param("fd92:7065:b8e:ffff::1", id="auth"),
+        pytest.param("fd92:7065:b8e:ffff::4", id="auth-break-dnssec"),
+        pytest.param("fd92:7065:b8e:ffff::2", id="recurs"),
+        pytest.param("fd92:7065:b8e:ffff::3", id="recurs-break-dnssec"),
+    ],
+)
+def test_filter_a_on_v4_via_v6(addr):
+    check_filter_other_family(addr, "a")

bin/tests/system/filters/tests_filter_a_v6.py

@@ -0,0 +1,80 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+import isctest.mark
+
+from filters.common import (
+    ARTIFACTS,
+    check_filter,
+    check_filter_other_family,
+    prime_cache,
+    reconfigure_servers,
+)
+
+
+pytestmark = pytest.mark.extra_artifacts(ARTIFACTS)
+
+
+@pytest.fixture(scope="module", autouse=True)
+def setup_filters(servers, templates):
+    isctest.log.info("configuring server to filter A on V6")
+    reconfigure_servers("a", "v6", servers, templates)
+    prime_cache("fd92:7065:b8e:ffff::2")
+    prime_cache("fd92:7065:b8e:ffff::3")
+
+
+@isctest.mark.with_ipv6
+@pytest.mark.parametrize(
+    "addr, altaddr, break_dnssec, recursive",
+    [
+        pytest.param(
+            "fd92:7065:b8e:ffff::1", "fd92:7065:b8e:ffff::2", False, False, id="auth"
+        ),
+        pytest.param(
+            "fd92:7065:b8e:ffff::4",
+            "fd92:7065:b8e:ffff::2",
+            True,
+            False,
+            id="auth-break-dnssec",
+        ),
+        pytest.param(
+            "fd92:7065:b8e:ffff::2",
+            "fd92:7065:b8e:ffff::1",
+            False,
+            True,
+            id="recurs",
+        ),
+        pytest.param(
+            "fd92:7065:b8e:ffff::3",
+            "fd92:7065:b8e:ffff::1",
+            True,
+            True,
+            id="recurs-break-dnssec",
+        ),
+    ],
+)
+def test_filter_a_on_v6(addr, altaddr, break_dnssec, recursive):
+    check_filter(addr, altaddr, "a", break_dnssec, recursive)
+
+
+@pytest.mark.parametrize(
+    "addr",
+    [
+        pytest.param("10.53.0.1", id="auth"),
+        pytest.param("10.53.0.4", id="auth-break-dnssec"),
+        pytest.param("10.53.0.2", id="recurs"),
+        pytest.param("10.53.0.3", id="recurs-break-dnssec"),
+    ],
+)
+def test_filter_a_on_v6_via_v4(addr):
+    check_filter_other_family(addr, "a")

bin/tests/system/filters/tests_filter_aaaa_v4.py

@@ -0,0 +1,61 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+import isctest
+import isctest.mark
+
+from filters.common import (
+    ARTIFACTS,
+    check_filter,
+    check_filter_other_family,
+    prime_cache,
+    reconfigure_servers,
+)
+
+
+pytestmark = pytest.mark.extra_artifacts(ARTIFACTS)
+
+
+@pytest.fixture(scope="module", autouse=True)
+def setup_filters(servers, templates):
+    isctest.log.info("configuring server to filter AAAA on V4")
+    reconfigure_servers("aaaa", "v4", servers, templates)
+    prime_cache("10.53.0.2")
+    prime_cache("10.53.0.3")
+
+
+@pytest.mark.parametrize(
+    "addr, altaddr, break_dnssec, recursive",
+    [
+        pytest.param("10.53.0.1", "10.53.0.2", False, False, id="auth"),
+        pytest.param("10.53.0.4", "10.53.0.2", True, False, id="auth-break-dnssec"),
+        pytest.param("10.53.0.2", "10.53.0.1", False, True, id="recurs"),
+        pytest.param("10.53.0.3", "10.53.0.1", True, True, id="recurs-break-dnssec"),
+    ],
+)
+def test_filter_aaaa_on_v4(addr, altaddr, break_dnssec, recursive):
+    check_filter(addr, altaddr, "aaaa", break_dnssec, recursive)
+
+
+@isctest.mark.with_ipv6
+@pytest.mark.parametrize(
+    "addr",
+    [
+        pytest.param("fd92:7065:b8e:ffff::1", id="auth"),
+        pytest.param("fd92:7065:b8e:ffff::4", id="auth-break-dnssec"),
+        pytest.param("fd92:7065:b8e:ffff::2", id="recurs"),
+        pytest.param("fd92:7065:b8e:ffff::3", id="recurs-break-dnssec"),
+    ],
+)
+def test_filter_aaaa_on_v4_via_v6(addr):
+    check_filter_other_family(addr, "aaaa")

bin/tests/system/filters/tests_filter_aaaa_v6.py

@@ -0,0 +1,81 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+import isctest.mark
+
+from filters.common import (
+    ARTIFACTS,
+    check_filter,
+    check_filter_other_family,
+    prime_cache,
+    reconfigure_servers,
+)
+
+
+pytestmark = pytest.mark.extra_artifacts(ARTIFACTS)
+
+
+@pytest.fixture(scope="module", autouse=True)
+def setup_filters(servers, templates):
+    isctest.log.info("configuring server to filter AAAA on V6")
+    reconfigure_servers("aaaa", "v6", servers, templates)
+    prime_cache("fd92:7065:b8e:ffff::2")
+    prime_cache("fd92:7065:b8e:ffff::3")
+
+
+@isctest.mark.with_ipv6
+@pytest.mark.parametrize(
+    "addr, altaddr, break_dnssec, recursive",
+    [
+        pytest.param(
+            "fd92:7065:b8e:ffff::1", "fd92:7065:b8e:ffff::2", False, False, id="auth"
+        ),
+        pytest.param(
+            "fd92:7065:b8e:ffff::4",
+            "fd92:7065:b8e:ffff::2",
+            True,
+            False,
+            id="auth-break-dnssec",
+        ),
+        pytest.param(
+            "fd92:7065:b8e:ffff::2",
+            "fd92:7065:b8e:ffff::1",
+            False,
+            True,
+            id="recurs",
+        ),
+        pytest.param(
+            "fd92:7065:b8e:ffff::3",
+            "fd92:7065:b8e:ffff::1",
+            True,
+            True,
+            id="recurs-break-dnssec",
+        ),
+    ],
+)
+def test_filter_aaaa_on_v6(addr, altaddr, break_dnssec, recursive):
+    check_filter(addr, altaddr, "aaaa", break_dnssec, recursive)
+
+
+@isctest.mark.with_ipv6
+@pytest.mark.parametrize(
+    "addr",
+    [
+        pytest.param("10.53.0.1", id="auth"),
+        pytest.param("10.53.0.4", id="auth-break-dnssec"),
+        pytest.param("10.53.0.2", id="recurs"),
+        pytest.param("10.53.0.3", id="recurs-break-dnssec"),
+    ],
+)
+def test_filter_aaaa_on_v6_via_v4(addr):
+    check_filter_other_family(addr, "aaaa")

bin/tests/system/filters/tests_filter_checkconf.py

@@ -0,0 +1,32 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import glob
+import os
+import subprocess
+
+import pytest
+
+import isctest
+
+from filters.common import ARTIFACTS
+
+
+pytestmark = pytest.mark.extra_artifacts(ARTIFACTS)
+
+
+# FUTURE: move this to checkconf test - it doesn't need nsX servers
+def test_filters_checkconf():
+    for filename in glob.glob("conf/good*.conf"):
+        isctest.run.cmd([os.environ["CHECKCONF"], filename])
+    for filename in glob.glob("conf/bad*.conf"):
+        with pytest.raises(subprocess.CalledProcessError):
+            isctest.run.cmd([os.environ["CHECKCONF"], filename])

bin/tests/system/filters/tests_filter_dns64.py

@@ -0,0 +1,28 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+import isctest
+
+from filters.common import ARTIFACTS
+
+
+pytestmark = pytest.mark.extra_artifacts(ARTIFACTS)
+
+
+def test_filter_dns64():
+    # This configuration doesn't make sense. The AAAA is wanted by
+    # filter-aaaa, but discarded by the dns64 configuration. We just
+    # need to ensure that the server keeps running.
+    msg = isctest.query.create("aaaa-only.unsigned", "aaaa")
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.noerror(res)

bin/tests/system/isctest/mark.py

@@ -13,12 +13,12 @@
 
 import os
 import platform
+import socket
 import shutil
 import subprocess
 
 import pytest
 
-
 long_test = pytest.mark.skipif(
     not os.environ.get("CI_ENABLE_LONG_TESTS"), reason="CI_ENABLE_LONG_TESTS not set"
 )
@@ -91,3 +91,15 @@ softhsm2_environment = pytest.mark.skipif(
     ),
     reason="SOFTHSM2_CONF and SOFTHSM2_MODULE environmental variables must be set and pkcs11-tool and softhsm2-util tools present",
 )
+
+
+def have_ipv6():
+    sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+    try:
+        sock.bind(("fd92:7065:b8e:ffff::1", 0))
+    except OSError:
+        return False
+    return True
+
+
+with_ipv6 = pytest.mark.skipif(not have_ipv6(), reason="IPv6 not available")

bin/tests/system/rollover-algo-csk/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py

@@ -12,7 +12,7 @@
 # pylint: disable=redefined-outer-name,unused-import
 
 import isctest
-from common import (
+from rollover.common import (
     pytestmark,
     CDSS,
     DURATION,

bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py

@@ -15,7 +15,7 @@ import pytest
 
 import isctest
 from isctest.kasp import KeyTimingMetadata
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-algo-ksk-zsk/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_initial.py

@@ -12,7 +12,7 @@
 # pylint: disable=unused-import
 
 import isctest
-from common import (
+from rollover.common import (
     pytestmark,
     CDSS,
     DURATION,

bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py

@@ -15,7 +15,7 @@ import pytest
 
 import isctest
 from isctest.kasp import KeyTimingMetadata
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-csk-roll1/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py

@@ -15,7 +15,7 @@ from datetime import timedelta
 
 import isctest
 from isctest.kasp import Ipub, Iret
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-csk-roll2/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py

@@ -15,7 +15,7 @@ from datetime import timedelta
 
 import isctest
 from isctest.kasp import Ipub, Iret
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-dynamic2inline/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-dynamic2inline/tests_rollover_dynamic2inline.py

@@ -12,7 +12,7 @@
 # pylint: disable=redefined-outer-name,unused-import
 
 import isctest
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-enable-dnssec/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py

@@ -13,7 +13,7 @@
 
 import isctest
 from isctest.kasp import Ipub, IpubC, Iret
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-going-insecure/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_initial.py

@@ -14,7 +14,7 @@
 import pytest
 
 import isctest
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_reconfig.py

@@ -14,7 +14,7 @@
 import pytest
 
 import isctest
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-ksk-3crowd/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py

@@ -15,7 +15,7 @@ from datetime import timedelta
 
 import isctest
 from isctest.kasp import KeyTimingMetadata
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-ksk-doubleksk/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py

@@ -14,7 +14,7 @@
 from datetime import timedelta
 
 import isctest
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-lifetime/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-lifetime/tests_rollover_lifetime_initial.py

@@ -15,7 +15,7 @@ import pytest
 
 import isctest
 from isctest.util import param
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-lifetime/tests_rollover_lifetime_reconfig.py

@@ -15,7 +15,7 @@ import pytest
 
 import isctest
 from isctest.util import param
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-multisigner/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py

@@ -21,7 +21,7 @@ import dns.update
 
 import isctest
 from isctest.kasp import Iret
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-straight2none/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py

@@ -14,7 +14,7 @@
 import pytest
 
 import isctest
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py

@@ -14,7 +14,7 @@
 import pytest
 
 import isctest
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover-zsk-prepub/common.py

@@ -1 +0,0 @@
-../rollover/common.py

bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py

@@ -15,7 +15,7 @@ from datetime import timedelta
 
 import isctest
 from isctest.kasp import Ipub, Iret
-from common import (
+from rollover.common import (
     pytestmark,
     alg,
     size,

bin/tests/system/rollover/tests_rollover_manual.py

@@ -15,7 +15,7 @@ import os
 import isctest
 from isctest.kasp import KeyTimingMetadata, Ipub, Iret
 
-from common import pytestmark  # pylint: disable=unused-import
+from rollover.common import pytestmark  # pylint: disable=unused-import
 
 
 def test_rollover_manual(ns3):