upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-13 03:49:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Make RPZ tests more readable

Browse source
This commit is contained in:
Matthijs Mekking 2019-02-06 15:40:06 +01:00
parent a8f20871c4
commit 97118d59ba
2 changed files with 357 additions and 243 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
bin/tests/system/rpz/setup.sh
View file

@ -36,10 +36,10 @@ for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wild
sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db
done
# sign the root and a zone in ns2
test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
# $1=directory, $2=domain name, $3=input zone file, $4=output file
# $1=directory
# $2=domain name
# $3=input zone file
# $4=output file
signzone () {
KEYNAME=`$KEYGEN -q -r $RANDFILE -b 512 -K $1 $2`
cat $1/$3 $1/$KEYNAME.key > $1/tmp
@ -48,8 +48,10 @@ signzone () {
DSFILENAME=dsset-`echo $2 |sed -e "s/\.$//g"`$TP
rm $DSFILENAME $1/tmp
}
signzone ns2 tld2s. base-tld2s.db tld2s.db
# sign the root and a zone in ns2
test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
signzone ns2 tld2s. base-tld2s.db tld2s.db
# Performance and a few other checks.
cat <<EOF >ns5/rpz-switch

588
bin/tests/system/rpz/tests.sh
View file

@ -24,6 +24,7 @@ ns7=$ns.7 # another rewriting resolver
HAVE_CORE=
SAVE_RESULTS=
status=0
USAGE="$0: [-x]"
while getopts "x" c; do
@ -83,6 +84,76 @@ setret () {
echo_i "$*"
}
# set $SN to the SOA serial number of a zone
# $1=domain
# $2=DNS server and client IP address
get_sn() {
SOA=`$DIG -p ${PORT} +short +norecurse soa "$1" "@$2" "-b$2"`
SN=`expr "$SOA" : '[^ ]* [^ ]* \([^ ]*\) .*'`
test "$SN" != "" && return
echo_i "no serial number from \`dig -p ${PORT} soa $1 @$2\` in \"$SOA\""
exit 1
}
get_sn_fast () {
RSN=`$DNSRPSCMD -n "$1"`
#echo "dnsrps serial for $1 is $RSN"
if test -z "$RSN"; then
echo_i "dnsrps failed to get SOA serial number for $1"
exit 1
fi
}
# check that dnsrpzd has loaded its zones
# $1=domain
# $2=DNS server IP address
FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf`
dnsrps_loaded() {
test "$mode" = dnsrps || return
n=0
for V in $FZONES; do
eval "$V"
get_sn $Z $M
while true; do
get_sn_fast "$Z"
if test "$SN" -eq "0$RSN"; then
#echo "$Z @$M serial=$SN"
break
fi
n=`expr $n + 1`
if test "$n" -gt $TEN_SECS; then
echo_i "dnsrps serial for $Z is $RSN instead of $SN"
exit 1
fi
$WAIT_CMD
done
done
}
# check the serial number in an SOA to ensure that a policy zone has
# been (re)loaded
# $1=serial number
# $2=domain
# $3=DNS server
ck_soa() {
n=0
while true; do
if test "$mode" = dnsrps; then
get_sn_fast "$2"
test "$RSN" -eq "$1" && return
else
get_sn "$2" "$3"
test "$SN" -eq "$1" && return
fi
n=`expr $n + 1`
if test "$n" -gt $TEN_SECS; then
echo_i "got serial number \"$SN\" instead of \"$1\" from $2 @$3"
return
fi
$WAIT_CMD
done
}
# (re)load the reponse policy zones with the rules in the file $TEST_FILE
load_db () {
if test -n "$TEST_FILE"; then
@ -122,7 +193,8 @@ restart () {
load_db
}
# $1=server and irrelevant args $2=error message
# $1=server and irrelevant args
# $2=error message
ckalive () {
CKALIVE_NS=`expr "$1" : '.*@ns\([1-9]\).*'`
if test -z "$CKALIVE_NS"; then
@ -170,7 +242,8 @@ ckstatsrange () {
eval "${NSDIR}_CNT=$NEW_CNT"
}
# $1=message $2=optional test file name
# $1=message
# $2=optional test file name
start_group () {
ret=0
t=`expr $t + 1`
@ -203,7 +276,8 @@ clean_result () {
fi
}
# $1=dig args $2=other dig output file
# $1=dig args
# $2=other dig output file
ckresult () {
#ckalive "$1" "server crashed by 'dig $1'" || return 1
if grep "flags:.* aa .*ad;" $DIGNM; then
@ -226,7 +300,8 @@ ckresult () {
}
# check only that the server does not crash
# $1=target domain $2=optional query type
# $1=target domain
# $2=optional query type
nocrash () {
digcmd $* >/dev/null
ckalive "$*" "server crashed by 'dig $*'"
@ -234,7 +309,8 @@ nocrash () {
# check rewrite to NXDOMAIN
# $1=target domain $2=optional query type
# $1=target domain
# $2=optional query type
nxdomain () {
make_dignm
digcmd $* \
@ -245,7 +321,8 @@ nxdomain () {
}
# check rewrite to NODATA
# $1=target domain $2=optional query type
# $1=target domain
# $2=optional query type
nodata () {
make_dignm
digcmd $* \
@ -255,7 +332,9 @@ nodata () {
# check rewrite to an address
# modify the output so that it is easily compared, but save the original line
# $1=IPv4 address $2=digcmd args $3=optional TTL
# $1=IPv4 address
# $2=digcmd args
# $3=optional TTL
addr () {
ADDR=$1
make_dignm
@ -277,7 +356,8 @@ addr () {
# Check that a response is not rewritten
# Use $ns1 instead of the authority for most test domains, $ns2 to prevent
# spurious differences for `dig +norecurse`
# $1=optional "TCP" remaining args for dig
# $1=optional "TCP"
# remaining args for dig
nochange () {
make_dignm
digcmd $* >$DIGNM
@ -306,239 +386,281 @@ drop () {
return 1
}
nsd() {
$NSUPDATE -p ${PORT} << EOF
server $1
ttl 300
update $2 $3 IN CNAME .
update $2 $4 IN CNAME .
send
EOF
sleep 2
}
# make prototype files to check against rewritten results
digcmd nonexistent @$ns2 >proto.nxdomain
digcmd txt-only.tld2 @$ns2 >proto.nodata
for mode in native dnsrps; do
status=0
case ${mode} in
native)
if [ -e dnsrps-only ] ; then
echo_i "'dnsrps-only' found: skipping native RPZ sub-test"
continue
else
echo_i "running native RPZ sub-test"
fi
;;
dnsrps)
if [ -e dnsrps-off ] ; then
echo_i "'dnsrps-off' found: skipping DNSRPS sub-test"
continue
fi
echo_i "attempting to configure servers with DNSRPS..."
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} rpz
$SHELL ./setup.sh -N -D $DEBUG
for server in ns*; do
resetstats $server
done
sed -n 's/^## //p' dnsrps.conf | cat_i
if grep '^#fail' dnsrps.conf >/dev/null; then
echo_i "exit status: 1"
exit 1
fi
if grep '^#skip' dnsrps.conf > /dev/null; then
echo_i "DNSRPS sub-test skipped"
continue
else
echo_i "running DNSRPS sub-test"
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} rpz
fi
;;
esac
# make prototype files to check against rewritten results
digcmd nonexistent @$ns2 >proto.nxdomain
digcmd txt-only.tld2 @$ns2 >proto.nodata
status=0
start_group "QNAME rewrites" test1
nochange . # 1 do not crash or rewrite root
nxdomain a0-1.tld2 # 2
nodata a3-1.tld2 # 3
nodata a3-2.tld2 # 4 nodata at DNAME itself
nochange sub.a3-2.tld2 # 5 miss where DNAME might work
nxdomain a4-2.tld2 # 6 rewrite based on CNAME target
nxdomain a4-2-cname.tld2 # 7
nodata a4-3-cname.tld2 # 8
addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement
addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard
addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME
addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain
addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone
nochange a6-1.tld2 # 14
addr 127.6.2.1 a6-2.tld2 # 15
addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME
addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME
addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain
addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain
nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required
nochange a5-3.tld2 +norecurse # 21
nochange a5-4.tld2 +norecurse # 22
nochange sub.a5-4.tld2 +norecurse # 23
nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c
nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures
nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures
nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures
nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain
nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain
nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record
nxdomain a0-1.tld2s srv +nodnssec # 31
drop a3-8.tld2 any # 32 drop
nochange tcp a3-9.tld2 # 33 tcp-only
here x.servfail <<'EOF' # 34 qname-wait-recurse yes
start_group "QNAME rewrites" test1
nochange . # 1 do not crash or rewrite root
nxdomain a0-1.tld2 # 2
nodata a3-1.tld2 # 3
nodata a3-2.tld2 # 4 nodata at DNAME itself
nochange sub.a3-2.tld2 # 5 miss where DNAME might work
nxdomain a4-2.tld2 # 6 rewrite based on CNAME target
nxdomain a4-2-cname.tld2 # 7
nodata a4-3-cname.tld2 # 8
addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement
addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard
addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME
addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain
addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone
nochange a6-1.tld2 # 14
addr 127.6.2.1 a6-2.tld2 # 15
addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME
addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME
addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain
addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain
nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required
nochange a5-3.tld2 +norecurse # 21
nochange a5-4.tld2 +norecurse # 22
nochange sub.a5-4.tld2 +norecurse # 23
nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c
nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures
nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures
nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures
nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain
nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain
nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record
nxdomain a0-1.tld2s srv +nodnssec # 31
drop a3-8.tld2 any # 32 drop
nochange tcp a3-9.tld2 # 33 tcp-only
here x.servfail <<'EOF' # 34 qname-wait-recurse yes
;; status: SERVFAIL, x
EOF
addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no
end_group
ckstats $ns3 test1 ns3 22
ckstats $ns5 test1 ns5 1
ckstats $ns6 test1 ns6 0
addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no
end_group
ckstats $ns3 test1 ns3 22
ckstats $ns5 test1 ns5 1
ckstats $ns6 test1 ns6 0
start_group "NXDOMAIN/NODATA action on QNAME trigger" test1
nxdomain a0-1.tld2 @$ns6 # 1
nodata a3-1.tld2 @$ns6 # 2
nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself
nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target
nxdomain a4-2-cname.tld2 @$ns6 # 5
nodata a4-3-cname.tld2 @$ns6 # 6
addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement
addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard
addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone
addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME
addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain
addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12
addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME
addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME
addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain
addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain
nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c
nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs
nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19
drop a3-8.tld2 any @$ns6 # 20 drop
start_group "NXDOMAIN/NODATA action on QNAME trigger" test1
nxdomain a0-1.tld2 @$ns6 # 1
nodata a3-1.tld2 @$ns6 # 2
nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself
nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target
nxdomain a4-2-cname.tld2 @$ns6 # 5
nodata a4-3-cname.tld2 @$ns6 # 6
addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement
addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard
addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone
addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME
addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain
addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12
addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME
addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME
addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain
addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain
nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c
nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs
nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19
drop a3-8.tld2 any @$ns6 # 20 drop
end_group
ckstatsrange $ns3 test1 ns3 22 28
ckstats $ns5 test1 ns5 0
ckstats $ns6 test1 ns6 0
end_group
ckstatsrange $ns3 test1 ns3 22 28
ckstats $ns5 test1 ns5 0
ckstats $ns6 test1 ns6 0
start_group "IP rewrites" test2
nodata a3-1.tld2 # 1 NODATA
nochange a3-2.tld2 # 2 no policy record so no change
nochange a4-1.tld2 # 3 obsolete PASSTHRU record style
nxdomain a4-2.tld2 # 4
nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite
nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite
nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite
nodata a4-3.tld2 # 8
nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy
nochange a4-1-aaaa.tld2 -taaaa # 10
addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address
addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone
nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14
addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP
nochange a4-4.tld2 # 15 PASSTHRU
nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c
addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger
nxdomain a7-1.tld2 # 18 slave policy zone (RT34450)
cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
$RNDCCMD 10.53.0.2 reload bl.tld2
goodsoa="rpz.tld2. hostmaster.ns.tld2. 2 3600 1200 604800 60"
for i in 0 1 2 3 4 5 6 7 8 9 10
do
start_group "IP rewrites" test2
nodata a3-1.tld2 # 1 NODATA
nochange a3-2.tld2 # 2 no policy record so no change
nochange a4-1.tld2 # 3 obsolete PASSTHRU record style
nxdomain a4-2.tld2 # 4
nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite
nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite
nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite
nodata a4-3.tld2 # 8
nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy
nochange a4-1-aaaa.tld2 -taaaa # 10
addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address
addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone
nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14
addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP
nochange a4-4.tld2 # 15 PASSTHRU
nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c
addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger
nxdomain a7-1.tld2 # 18 slave policy zone (RT34450)
# updating an response zone policy
cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
$RNDCCMD 10.53.0.2 reload bl.tld2
goodsoa="rpz.tld2. hostmaster.ns.tld2. 2 3600 1200 604800 60"
for i in 0 1 2 3 4 5 6 7 8 9 10
do
soa=`$DIG -p ${PORT} +short soa bl.tld2 @10.53.0.3 -b10.53.0.3`
test "$soa" = "$goodsoa" && break
sleep 1
done
nochange a7-1.tld2 # 19 PASSTHRU
sleep 1 # ensure that a clock tick has occured so that the reload takes effect
cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
goodsoa="rpz.tld2. hostmaster.ns.tld2. 3 3600 1200 604800 60"
$RNDCCMD 10.53.0.2 reload bl.tld2
for i in 0 1 2 3 4 5 6 7 8 9 10
do
done
nochange a7-1.tld2 # 19 PASSTHRU
# ensure that a clock tick has occured so that the reload takes effect
sleep 1
cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
goodsoa="rpz.tld2. hostmaster.ns.tld2. 3 3600 1200 604800 60"
$RNDCCMD 10.53.0.2 reload bl.tld2
for i in 0 1 2 3 4 5 6 7 8 9 10
do
soa=`$DIG -p ${PORT} +short soa bl.tld2 @10.53.0.3 -b10.53.0.3`
test "$soa" = "$goodsoa" && break
sleep 1
done
nxdomain a7-1.tld2 # 20 slave policy zone (RT34450)
end_group
ckstats $ns3 test2 ns3 12
done
nxdomain a7-1.tld2 # 20 slave policy zone (RT34450)
end_group
ckstats $ns3 test2 ns3 12
# check that IP addresses for previous group were deleted from the radix tree
start_group "radix tree deletions"
nochange a3-1.tld2
nochange a3-2.tld2
nochange a4-1.tld2
nochange a4-2.tld2
nochange a4-2.tld2 -taaaa
nochange a4-2.tld2 -ttxt
nochange a4-2.tld2 -tany
nochange a4-3.tld2
nochange a3-1.tld2 -tAAAA
nochange a4-1-aaaa.tld2 -tAAAA
nochange a5-1-2.tld2
end_group
ckstats $ns3 'radix tree deletions' ns3 0
# check that IP addresses for previous group were deleted from the radix tree
start_group "radix tree deletions"
nochange a3-1.tld2
nochange a3-2.tld2
nochange a4-1.tld2
nochange a4-2.tld2
nochange a4-2.tld2 -taaaa
nochange a4-2.tld2 -ttxt
nochange a4-2.tld2 -tany
nochange a4-3.tld2
nochange a3-1.tld2 -tAAAA
nochange a4-1-aaaa.tld2 -tAAAA
nochange a5-1-2.tld2
end_group
ckstats $ns3 'radix tree deletions' ns3 0
if $FEATURETEST --rpz-nsdname; then
if $FEATURETEST --rpz-nsdname; then
# these tests assume "min-ns-dots 0"
start_group "NSDNAME rewrites" test3
nochange a3-1.tld2 # 1
nochange a3-1.tld2 +dnssec # 2 this once caused problems
nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME
nxdomain a3-1.subsub.sub1.tld2
nxdomain a3-1.subsub.sub1.tld2 -tany
addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2
nochange a3-2.tld2. # 7 exempt rewrite by name
nochange a0-1.tld2. # 8 exempt rewrite by address block
addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME
addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME
addr 127.0.0.2 a3-1.subsub.sub3.tld2
nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash
nochange a3-1.tld2 # 1
nochange a3-1.tld2 +dnssec # 2 this once caused problems
nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME
nxdomain a3-1.subsub.sub1.tld2 # 4
nxdomain a3-1.subsub.sub1.tld2 -tany # 5
addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2
nochange a3-2.tld2. # 7 exempt rewrite by name
nochange a0-1.tld2. # 8 exempt rewrite by address block
addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME
addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME
addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11
nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash
end_group
ckstats $ns3 test3 ns3 7
else
else
echo_i "NSDNAME not checked; named configured with --disable-rpz-nsdname"
fi
fi
if $FEATURETEST --rpz-nsip; then
if $FEATURETEST --rpz-nsip; then
# these tests assume "min-ns-dots 0"
start_group "NSIP rewrites" test4
nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2
nochange a3-2.tld2. # 2 exempt rewrite by name
nochange a0-1.tld2. # 3 exempt rewrite by address block
nochange a3-1.tld4 # 4 different NS IP address
nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2
nochange a3-2.tld2. # 2 exempt rewrite by name
nochange a0-1.tld2. # 3 exempt rewrite by address block
nochange a3-1.tld4 # 4 different NS IP address
end_group
start_group "walled garden NSIP rewrites" test4a
addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2
addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2
here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2
addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2
addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2
here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2
;; status: NOERROR, x
a3-1.tld2. x IN TXT "NSIP walled garden"
EOF
end_group
ckstats $ns3 test4 ns3 4
else
else
echo_i "NSIP not checked; named configured with --disable-rpz-nsip"
fi
fi
# policies in ./test5 overridden by response-policy{} in ns3/named.conf
# and in ns5/named.conf
start_group "policy overrides" test5
addr 127.0.0.1 a3-1.tld2 # 1 bl-given
nochange a3-2.tld2 # 2 bl-passthru
nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru
nochange a3-4.tld2 # 4 bl-disabled
nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no
nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no
nodata a3-5.tld2 # 7 bl-nodata not needed
nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no
nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec
nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec
nxdomain a3-6.tld2 # 11 bl-nxdomain
here a3-7.tld2 -tany <<'EOF'
# policies in ./test5 overridden by response-policy{} in ns3/named.conf
# and in ns5/named.conf
start_group "policy overrides" test5
addr 127.0.0.1 a3-1.tld2 # 1 bl-given
nochange a3-2.tld2 # 2 bl-passthru
nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru
nochange a3-4.tld2 # 4 bl-disabled
nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no
nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no
nodata a3-5.tld2 # 7 bl-nodata not needed
nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no
nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec
nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec
nxdomain a3-6.tld2 # 11 bl-nxdomain
here a3-7.tld2 -tany <<'EOF' # 12
;; status: NOERROR, x
a3-7.tld2. x IN CNAME txt-only.tld2.
txt-only.tld2. x IN TXT "txt-only-tld2"
EOF
addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname
addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname
addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2
addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100
addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90
drop a3-18.tld2 any # 18 bl-drop
nxdomain TCP a3-19.tld2 # 19 bl-tcp-only
end_group
ckstats $ns3 test5 ns3 12
ckstats $ns5 test5 ns5 4
addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname
addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname
addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2
addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100
addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90
drop a3-18.tld2 any # 18 bl-drop
nxdomain TCP a3-19.tld2 # 19 bl-tcp-only
end_group
ckstats $ns3 test5 ns3 12
ckstats $ns5 test5 ns5 4
# check that miscellaneous bugs are still absent
start_group "crashes" test6
for Q in RRSIG SIG ANY 'ANY +dnssec'; do
# check that miscellaneous bugs are still absent
start_group "crashes" test6
for Q in RRSIG SIG ANY 'ANY +dnssec'; do
nocrash a3-1.tld2 -t$Q
nocrash a3-2.tld2 -t$Q
nocrash a3-5.tld2 -t$Q
nocrash www.redirect -t$Q
nocrash www.credirect -t$Q
done
done
# This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
# (or whatever) is available by publishing "foo A 10.2.3.4" and then
# resolving foo.
# nxdomain 32.3.2.1.127.rpz-ip
end_group
ckstats $ns3 bugs ns3 8
# This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
# (or whatever) is available by publishing "foo A 10.2.3.4" and then
# resolving foo.
# nxdomain 32.3.2.1.127.rpz-ip
end_group
ckstats $ns3 bugs ns3 8
# superficial test for major performance bugs
QPERF=`sh qperf.sh`
if test -n "$QPERF"; then
# superficial test for major performance bugs
QPERF=`sh qperf.sh`
if test -n "$QPERF"; then
perf () {
date "+${TS}checking performance $1" | cat_i
# Dry run to prime everything
@ -583,64 +705,54 @@ if test -n "$QPERF"; then
fi
ckstats $ns5 performance ns5 200
else
else
echo_i "performance not checked; queryperf not available"
fi
fi
# restart the main test RPZ server to see if that creates a core file
if test -z "$HAVE_CORE"; then
# restart the main test RPZ server to see if that creates a core file
if test -z "$HAVE_CORE"; then
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} rpz ns3
restart 3
HAVE_CORE=`find ns* -name '*core*' -print`
test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?"
fi
fi
# look for complaints from lib/dns/rpz.c and bin/name/query.c
EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run`
if test -n "$EMSGS"; then
# look for complaints from lib/dns/rpz.c and bin/name/query.c
EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run`
if test -n "$EMSGS"; then
setret "error messages in $EMSGS starting with:"
egrep 'invalid rpz|rpz.*failed' ns*/named.run | sed -e '10,$d' | cat_i
fi
fi
echo_i "checking that ttl values are not zeroed when qtype is '*'"
$DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 > dig.out.any
ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.any`
if test ${ttl:=0} -eq 0; then setret "failed"; fi
echo_i "checking that ttl values are not zeroed when qtype is '*'"
$DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 > dig.out.any
ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.any`
if test ${ttl:=0} -eq 0; then setret "failed"; fi
echo_i "checking rpz updates/transfers with parent nodes added after children"
# regression test for RT #36272: the success condition
# is the slave server not crashing.
nsd() {
$NSUPDATE -p ${PORT} << EOF
server $1
ttl 300
update $2 $3 IN CNAME .
update $2 $4 IN CNAME .
send
EOF
sleep 2
}
for i in 1 2 3 4 5; do
echo_i "checking rpz updates/transfers with parent nodes added after children"
# regression test for RT #36272: the success condition
# is the slave server not crashing.
for i in 1 2 3 4 5; do
nsd $ns5 add example.com.policy1. '*.example.com.policy1.'
nsd $ns5 delete example.com.policy1. '*.example.com.policy1.'
done
for i in 1 2 3 4 5; do
done
for i in 1 2 3 4 5; do
nsd $ns5 add '*.example.com.policy1.' example.com.policy1.
nsd $ns5 delete '*.example.com.policy1.' example.com.policy1.
done
echo_i "checking that going from a empty policy zone works"
nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
sleep 1
$RNDCCMD $ns7 reload policy2
$DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.ns7
grep NXDOMAIN dig.out.ns7 > /dev/null || setret I:failed;
echo_i "checking rpz with delegation fails correctly"
$DIG -p ${PORT} @$ns3 ns example.com > dig.out.delegation
grep "status: SERVFAIL" dig.out.delegation > /dev/null || setret "I:failed"
done
echo_i "checking that going from a empty policy zone works"
nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
sleep 1
$RNDCCMD $ns7 reload policy2
$DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.ns7
grep NXDOMAIN dig.out.ns7 > /dev/null || setret I:failed;
echo_i "checking rpz with delegation fails correctly"
$DIG -p ${PORT} @$ns3 ns example.com > dig.out.delegation
grep "status: SERVFAIL" dig.out.delegation > /dev/null || setret "I:failed"
status=`expr ${native:-0} + ${dnsrps:-0}`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1