diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 3fbf0e9f61..22ecf6c3fa 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -36,10 +36,10 @@ for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wild sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db done -# sign the root and a zone in ns2 -test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE - -# $1=directory, $2=domain name, $3=input zone file, $4=output file +# $1=directory +# $2=domain name +# $3=input zone file +# $4=output file signzone () { KEYNAME=`$KEYGEN -q -r $RANDFILE -b 512 -K $1 $2` cat $1/$3 $1/$KEYNAME.key > $1/tmp @@ -48,8 +48,10 @@ signzone () { DSFILENAME=dsset-`echo $2 |sed -e "s/\.$//g"`$TP rm $DSFILENAME $1/tmp } -signzone ns2 tld2s. base-tld2s.db tld2s.db +# sign the root and a zone in ns2 +test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE +signzone ns2 tld2s. base-tld2s.db tld2s.db # Performance and a few other checks. cat <ns5/rpz-switch diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index c4db60fd6f..919f8e5550 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -24,6 +24,7 @@ ns7=$ns.7 # another rewriting resolver HAVE_CORE= SAVE_RESULTS= +status=0 USAGE="$0: [-x]" while getopts "x" c; do @@ -83,6 +84,76 @@ setret () { echo_i "$*" } +# set $SN to the SOA serial number of a zone +# $1=domain +# $2=DNS server and client IP address +get_sn() { + SOA=`$DIG -p ${PORT} +short +norecurse soa "$1" "@$2" "-b$2"` + SN=`expr "$SOA" : '[^ ]* [^ ]* \([^ ]*\) .*'` + test "$SN" != "" && return + echo_i "no serial number from \`dig -p ${PORT} soa $1 @$2\` in \"$SOA\"" + exit 1 +} + +get_sn_fast () { + RSN=`$DNSRPSCMD -n "$1"` + #echo "dnsrps serial for $1 is $RSN" + if test -z "$RSN"; then + echo_i "dnsrps failed to get SOA serial number for $1" + exit 1 + fi +} + +# check that dnsrpzd has loaded its zones +# $1=domain +# $2=DNS server IP address +FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf` +dnsrps_loaded() { + test "$mode" = dnsrps || return + n=0 + for V in $FZONES; do + eval "$V" + get_sn $Z $M + while true; do + get_sn_fast "$Z" + if test "$SN" -eq "0$RSN"; then + #echo "$Z @$M serial=$SN" + break + fi + n=`expr $n + 1` + if test "$n" -gt $TEN_SECS; then + echo_i "dnsrps serial for $Z is $RSN instead of $SN" + exit 1 + fi + $WAIT_CMD + done + done +} + +# check the serial number in an SOA to ensure that a policy zone has +# been (re)loaded +# $1=serial number +# $2=domain +# $3=DNS server +ck_soa() { + n=0 + while true; do + if test "$mode" = dnsrps; then + get_sn_fast "$2" + test "$RSN" -eq "$1" && return + else + get_sn "$2" "$3" + test "$SN" -eq "$1" && return + fi + n=`expr $n + 1` + if test "$n" -gt $TEN_SECS; then + echo_i "got serial number \"$SN\" instead of \"$1\" from $2 @$3" + return + fi + $WAIT_CMD + done +} + # (re)load the reponse policy zones with the rules in the file $TEST_FILE load_db () { if test -n "$TEST_FILE"; then @@ -122,7 +193,8 @@ restart () { load_db } -# $1=server and irrelevant args $2=error message +# $1=server and irrelevant args +# $2=error message ckalive () { CKALIVE_NS=`expr "$1" : '.*@ns\([1-9]\).*'` if test -z "$CKALIVE_NS"; then @@ -170,7 +242,8 @@ ckstatsrange () { eval "${NSDIR}_CNT=$NEW_CNT" } -# $1=message $2=optional test file name +# $1=message +# $2=optional test file name start_group () { ret=0 t=`expr $t + 1` @@ -203,7 +276,8 @@ clean_result () { fi } -# $1=dig args $2=other dig output file +# $1=dig args +# $2=other dig output file ckresult () { #ckalive "$1" "server crashed by 'dig $1'" || return 1 if grep "flags:.* aa .*ad;" $DIGNM; then @@ -226,7 +300,8 @@ ckresult () { } # check only that the server does not crash -# $1=target domain $2=optional query type +# $1=target domain +# $2=optional query type nocrash () { digcmd $* >/dev/null ckalive "$*" "server crashed by 'dig $*'" @@ -234,7 +309,8 @@ nocrash () { # check rewrite to NXDOMAIN -# $1=target domain $2=optional query type +# $1=target domain +# $2=optional query type nxdomain () { make_dignm digcmd $* \ @@ -245,7 +321,8 @@ nxdomain () { } # check rewrite to NODATA -# $1=target domain $2=optional query type +# $1=target domain +# $2=optional query type nodata () { make_dignm digcmd $* \ @@ -255,7 +332,9 @@ nodata () { # check rewrite to an address # modify the output so that it is easily compared, but save the original line -# $1=IPv4 address $2=digcmd args $3=optional TTL +# $1=IPv4 address +# $2=digcmd args +# $3=optional TTL addr () { ADDR=$1 make_dignm @@ -277,7 +356,8 @@ addr () { # Check that a response is not rewritten # Use $ns1 instead of the authority for most test domains, $ns2 to prevent # spurious differences for `dig +norecurse` -# $1=optional "TCP" remaining args for dig +# $1=optional "TCP" +# remaining args for dig nochange () { make_dignm digcmd $* >$DIGNM @@ -306,239 +386,281 @@ drop () { return 1 } +nsd() { + $NSUPDATE -p ${PORT} << EOF + server $1 + ttl 300 + update $2 $3 IN CNAME . + update $2 $4 IN CNAME . + send +EOF + sleep 2 +} -# make prototype files to check against rewritten results -digcmd nonexistent @$ns2 >proto.nxdomain -digcmd txt-only.tld2 @$ns2 >proto.nodata +for mode in native dnsrps; do + status=0 + case ${mode} in + native) + if [ -e dnsrps-only ] ; then + echo_i "'dnsrps-only' found: skipping native RPZ sub-test" + continue + else + echo_i "running native RPZ sub-test" + fi + ;; + dnsrps) + if [ -e dnsrps-off ] ; then + echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" + continue + fi + echo_i "attempting to configure servers with DNSRPS..." + $PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} rpz + $SHELL ./setup.sh -N -D $DEBUG + for server in ns*; do + resetstats $server + done + sed -n 's/^## //p' dnsrps.conf | cat_i + if grep '^#fail' dnsrps.conf >/dev/null; then + echo_i "exit status: 1" + exit 1 + fi + if grep '^#skip' dnsrps.conf > /dev/null; then + echo_i "DNSRPS sub-test skipped" + continue + else + echo_i "running DNSRPS sub-test" + $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} rpz + fi + ;; + esac + # make prototype files to check against rewritten results + digcmd nonexistent @$ns2 >proto.nxdomain + digcmd txt-only.tld2 @$ns2 >proto.nodata -status=0 - -start_group "QNAME rewrites" test1 -nochange . # 1 do not crash or rewrite root -nxdomain a0-1.tld2 # 2 -nodata a3-1.tld2 # 3 -nodata a3-2.tld2 # 4 nodata at DNAME itself -nochange sub.a3-2.tld2 # 5 miss where DNAME might work -nxdomain a4-2.tld2 # 6 rewrite based on CNAME target -nxdomain a4-2-cname.tld2 # 7 -nodata a4-3-cname.tld2 # 8 -addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement -addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard -addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME -addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain -addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone -nochange a6-1.tld2 # 14 -addr 127.6.2.1 a6-2.tld2 # 15 -addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME -addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME -addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain -addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain -nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required -nochange a5-3.tld2 +norecurse # 21 -nochange a5-4.tld2 +norecurse # 22 -nochange sub.a5-4.tld2 +norecurse # 23 -nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c -nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures -nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures -nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures -nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain -nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain -nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record -nxdomain a0-1.tld2s srv +nodnssec # 31 -drop a3-8.tld2 any # 32 drop -nochange tcp a3-9.tld2 # 33 tcp-only -here x.servfail <<'EOF' # 34 qname-wait-recurse yes + start_group "QNAME rewrites" test1 + nochange . # 1 do not crash or rewrite root + nxdomain a0-1.tld2 # 2 + nodata a3-1.tld2 # 3 + nodata a3-2.tld2 # 4 nodata at DNAME itself + nochange sub.a3-2.tld2 # 5 miss where DNAME might work + nxdomain a4-2.tld2 # 6 rewrite based on CNAME target + nxdomain a4-2-cname.tld2 # 7 + nodata a4-3-cname.tld2 # 8 + addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement + addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard + addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME + addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain + addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone + nochange a6-1.tld2 # 14 + addr 127.6.2.1 a6-2.tld2 # 15 + addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME + addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME + addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain + addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain + nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required + nochange a5-3.tld2 +norecurse # 21 + nochange a5-4.tld2 +norecurse # 22 + nochange sub.a5-4.tld2 +norecurse # 23 + nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c + nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures + nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures + nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures + nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain + nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain + nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record + nxdomain a0-1.tld2s srv +nodnssec # 31 + drop a3-8.tld2 any # 32 drop + nochange tcp a3-9.tld2 # 33 tcp-only + here x.servfail <<'EOF' # 34 qname-wait-recurse yes ;; status: SERVFAIL, x EOF -addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no -end_group -ckstats $ns3 test1 ns3 22 -ckstats $ns5 test1 ns5 1 -ckstats $ns6 test1 ns6 0 + addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no + end_group + ckstats $ns3 test1 ns3 22 + ckstats $ns5 test1 ns5 1 + ckstats $ns6 test1 ns6 0 -start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 -nxdomain a0-1.tld2 @$ns6 # 1 -nodata a3-1.tld2 @$ns6 # 2 -nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself -nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target -nxdomain a4-2-cname.tld2 @$ns6 # 5 -nodata a4-3-cname.tld2 @$ns6 # 6 -addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement -addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard -addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone -addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME -addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain -addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 -addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME -addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME -addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain -addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain -nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c -nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs -nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 -drop a3-8.tld2 any @$ns6 # 20 drop + start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 + nxdomain a0-1.tld2 @$ns6 # 1 + nodata a3-1.tld2 @$ns6 # 2 + nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself + nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target + nxdomain a4-2-cname.tld2 @$ns6 # 5 + nodata a4-3-cname.tld2 @$ns6 # 6 + addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement + addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard + addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone + addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME + addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain + addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 + addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME + addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME + addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain + addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain + nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c + nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs + nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 + drop a3-8.tld2 any @$ns6 # 20 drop + end_group + ckstatsrange $ns3 test1 ns3 22 28 + ckstats $ns5 test1 ns5 0 + ckstats $ns6 test1 ns6 0 -end_group -ckstatsrange $ns3 test1 ns3 22 28 -ckstats $ns5 test1 ns5 0 -ckstats $ns6 test1 ns6 0 - -start_group "IP rewrites" test2 -nodata a3-1.tld2 # 1 NODATA -nochange a3-2.tld2 # 2 no policy record so no change -nochange a4-1.tld2 # 3 obsolete PASSTHRU record style -nxdomain a4-2.tld2 # 4 -nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite -nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite -nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite -nodata a4-3.tld2 # 8 -nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy -nochange a4-1-aaaa.tld2 -taaaa # 10 -addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address -addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone -nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 -addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP -nochange a4-4.tld2 # 15 PASSTHRU -nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c -addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger -nxdomain a7-1.tld2 # 18 slave policy zone (RT34450) -cp ns2/blv2.tld2.db.in ns2/bl.tld2.db -$RNDCCMD 10.53.0.2 reload bl.tld2 -goodsoa="rpz.tld2. hostmaster.ns.tld2. 2 3600 1200 604800 60" -for i in 0 1 2 3 4 5 6 7 8 9 10 -do + start_group "IP rewrites" test2 + nodata a3-1.tld2 # 1 NODATA + nochange a3-2.tld2 # 2 no policy record so no change + nochange a4-1.tld2 # 3 obsolete PASSTHRU record style + nxdomain a4-2.tld2 # 4 + nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite + nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite + nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite + nodata a4-3.tld2 # 8 + nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy + nochange a4-1-aaaa.tld2 -taaaa # 10 + addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address + addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone + nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 + addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP + nochange a4-4.tld2 # 15 PASSTHRU + nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c + addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger + nxdomain a7-1.tld2 # 18 slave policy zone (RT34450) + # updating an response zone policy + cp ns2/blv2.tld2.db.in ns2/bl.tld2.db + $RNDCCMD 10.53.0.2 reload bl.tld2 + goodsoa="rpz.tld2. hostmaster.ns.tld2. 2 3600 1200 604800 60" + for i in 0 1 2 3 4 5 6 7 8 9 10 + do soa=`$DIG -p ${PORT} +short soa bl.tld2 @10.53.0.3 -b10.53.0.3` test "$soa" = "$goodsoa" && break sleep 1 -done -nochange a7-1.tld2 # 19 PASSTHRU -sleep 1 # ensure that a clock tick has occured so that the reload takes effect -cp ns2/blv3.tld2.db.in ns2/bl.tld2.db -goodsoa="rpz.tld2. hostmaster.ns.tld2. 3 3600 1200 604800 60" -$RNDCCMD 10.53.0.2 reload bl.tld2 -for i in 0 1 2 3 4 5 6 7 8 9 10 -do + done + nochange a7-1.tld2 # 19 PASSTHRU + # ensure that a clock tick has occured so that the reload takes effect + sleep 1 + cp ns2/blv3.tld2.db.in ns2/bl.tld2.db + goodsoa="rpz.tld2. hostmaster.ns.tld2. 3 3600 1200 604800 60" + $RNDCCMD 10.53.0.2 reload bl.tld2 + for i in 0 1 2 3 4 5 6 7 8 9 10 + do soa=`$DIG -p ${PORT} +short soa bl.tld2 @10.53.0.3 -b10.53.0.3` test "$soa" = "$goodsoa" && break sleep 1 -done -nxdomain a7-1.tld2 # 20 slave policy zone (RT34450) -end_group -ckstats $ns3 test2 ns3 12 + done + nxdomain a7-1.tld2 # 20 slave policy zone (RT34450) + end_group + ckstats $ns3 test2 ns3 12 -# check that IP addresses for previous group were deleted from the radix tree -start_group "radix tree deletions" -nochange a3-1.tld2 -nochange a3-2.tld2 -nochange a4-1.tld2 -nochange a4-2.tld2 -nochange a4-2.tld2 -taaaa -nochange a4-2.tld2 -ttxt -nochange a4-2.tld2 -tany -nochange a4-3.tld2 -nochange a3-1.tld2 -tAAAA -nochange a4-1-aaaa.tld2 -tAAAA -nochange a5-1-2.tld2 -end_group -ckstats $ns3 'radix tree deletions' ns3 0 + # check that IP addresses for previous group were deleted from the radix tree + start_group "radix tree deletions" + nochange a3-1.tld2 + nochange a3-2.tld2 + nochange a4-1.tld2 + nochange a4-2.tld2 + nochange a4-2.tld2 -taaaa + nochange a4-2.tld2 -ttxt + nochange a4-2.tld2 -tany + nochange a4-3.tld2 + nochange a3-1.tld2 -tAAAA + nochange a4-1-aaaa.tld2 -tAAAA + nochange a5-1-2.tld2 + end_group + ckstats $ns3 'radix tree deletions' ns3 0 -if $FEATURETEST --rpz-nsdname; then + if $FEATURETEST --rpz-nsdname; then # these tests assume "min-ns-dots 0" start_group "NSDNAME rewrites" test3 - nochange a3-1.tld2 # 1 - nochange a3-1.tld2 +dnssec # 2 this once caused problems - nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME - nxdomain a3-1.subsub.sub1.tld2 - nxdomain a3-1.subsub.sub1.tld2 -tany - addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 - nochange a3-2.tld2. # 7 exempt rewrite by name - nochange a0-1.tld2. # 8 exempt rewrite by address block - addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME - addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME - addr 127.0.0.2 a3-1.subsub.sub3.tld2 - nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash + nochange a3-1.tld2 # 1 + nochange a3-1.tld2 +dnssec # 2 this once caused problems + nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME + nxdomain a3-1.subsub.sub1.tld2 # 4 + nxdomain a3-1.subsub.sub1.tld2 -tany # 5 + addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 + nochange a3-2.tld2. # 7 exempt rewrite by name + nochange a0-1.tld2. # 8 exempt rewrite by address block + addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME + addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME + addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11 + nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash end_group ckstats $ns3 test3 ns3 7 -else + else echo_i "NSDNAME not checked; named configured with --disable-rpz-nsdname" -fi + fi -if $FEATURETEST --rpz-nsip; then + if $FEATURETEST --rpz-nsip; then # these tests assume "min-ns-dots 0" start_group "NSIP rewrites" test4 - nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 - nochange a3-2.tld2. # 2 exempt rewrite by name - nochange a0-1.tld2. # 3 exempt rewrite by address block - nochange a3-1.tld4 # 4 different NS IP address + nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 + nochange a3-2.tld2. # 2 exempt rewrite by name + nochange a0-1.tld2. # 3 exempt rewrite by address block + nochange a3-1.tld4 # 4 different NS IP address end_group start_group "walled garden NSIP rewrites" test4a - addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 - addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 - here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 + addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 + addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 + here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 ;; status: NOERROR, x a3-1.tld2. x IN TXT "NSIP walled garden" EOF end_group ckstats $ns3 test4 ns3 4 -else + else echo_i "NSIP not checked; named configured with --disable-rpz-nsip" -fi + fi -# policies in ./test5 overridden by response-policy{} in ns3/named.conf -# and in ns5/named.conf -start_group "policy overrides" test5 -addr 127.0.0.1 a3-1.tld2 # 1 bl-given -nochange a3-2.tld2 # 2 bl-passthru -nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru -nochange a3-4.tld2 # 4 bl-disabled -nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no -nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no -nodata a3-5.tld2 # 7 bl-nodata not needed -nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no -nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec -nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec -nxdomain a3-6.tld2 # 11 bl-nxdomain -here a3-7.tld2 -tany <<'EOF' + # policies in ./test5 overridden by response-policy{} in ns3/named.conf + # and in ns5/named.conf + start_group "policy overrides" test5 + addr 127.0.0.1 a3-1.tld2 # 1 bl-given + nochange a3-2.tld2 # 2 bl-passthru + nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru + nochange a3-4.tld2 # 4 bl-disabled + nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no + nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no + nodata a3-5.tld2 # 7 bl-nodata not needed + nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no + nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec + nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec + nxdomain a3-6.tld2 # 11 bl-nxdomain + here a3-7.tld2 -tany <<'EOF' # 12 ;; status: NOERROR, x a3-7.tld2. x IN CNAME txt-only.tld2. txt-only.tld2. x IN TXT "txt-only-tld2" EOF -addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname -addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname -addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 -addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 -addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 -drop a3-18.tld2 any # 18 bl-drop -nxdomain TCP a3-19.tld2 # 19 bl-tcp-only -end_group -ckstats $ns3 test5 ns3 12 -ckstats $ns5 test5 ns5 4 + addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname + addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname + addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 + addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 + addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 + drop a3-18.tld2 any # 18 bl-drop + nxdomain TCP a3-19.tld2 # 19 bl-tcp-only + end_group + ckstats $ns3 test5 ns3 12 + ckstats $ns5 test5 ns5 4 - -# check that miscellaneous bugs are still absent -start_group "crashes" test6 -for Q in RRSIG SIG ANY 'ANY +dnssec'; do + # check that miscellaneous bugs are still absent + start_group "crashes" test6 + for Q in RRSIG SIG ANY 'ANY +dnssec'; do nocrash a3-1.tld2 -t$Q nocrash a3-2.tld2 -t$Q nocrash a3-5.tld2 -t$Q nocrash www.redirect -t$Q nocrash www.credirect -t$Q -done + done -# This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip -# (or whatever) is available by publishing "foo A 10.2.3.4" and then -# resolving foo. -# nxdomain 32.3.2.1.127.rpz-ip -end_group -ckstats $ns3 bugs ns3 8 + # This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip + # (or whatever) is available by publishing "foo A 10.2.3.4" and then + # resolving foo. + # nxdomain 32.3.2.1.127.rpz-ip + end_group + ckstats $ns3 bugs ns3 8 - - -# superficial test for major performance bugs -QPERF=`sh qperf.sh` -if test -n "$QPERF"; then + # superficial test for major performance bugs + QPERF=`sh qperf.sh` + if test -n "$QPERF"; then perf () { date "+${TS}checking performance $1" | cat_i # Dry run to prime everything @@ -583,64 +705,54 @@ if test -n "$QPERF"; then fi ckstats $ns5 performance ns5 200 -else + else echo_i "performance not checked; queryperf not available" -fi + fi - -# restart the main test RPZ server to see if that creates a core file -if test -z "$HAVE_CORE"; then + # restart the main test RPZ server to see if that creates a core file + if test -z "$HAVE_CORE"; then $PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} rpz ns3 restart 3 HAVE_CORE=`find ns* -name '*core*' -print` test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?" -fi + fi -# look for complaints from lib/dns/rpz.c and bin/name/query.c -EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run` -if test -n "$EMSGS"; then + # look for complaints from lib/dns/rpz.c and bin/name/query.c + EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run` + if test -n "$EMSGS"; then setret "error messages in $EMSGS starting with:" egrep 'invalid rpz|rpz.*failed' ns*/named.run | sed -e '10,$d' | cat_i -fi + fi -echo_i "checking that ttl values are not zeroed when qtype is '*'" -$DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 > dig.out.any -ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.any` -if test ${ttl:=0} -eq 0; then setret "failed"; fi + echo_i "checking that ttl values are not zeroed when qtype is '*'" + $DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 > dig.out.any + ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.any` + if test ${ttl:=0} -eq 0; then setret "failed"; fi -echo_i "checking rpz updates/transfers with parent nodes added after children" -# regression test for RT #36272: the success condition -# is the slave server not crashing. -nsd() { - $NSUPDATE -p ${PORT} << EOF -server $1 -ttl 300 -update $2 $3 IN CNAME . -update $2 $4 IN CNAME . -send -EOF - sleep 2 -} - -for i in 1 2 3 4 5; do + echo_i "checking rpz updates/transfers with parent nodes added after children" + # regression test for RT #36272: the success condition + # is the slave server not crashing. + for i in 1 2 3 4 5; do nsd $ns5 add example.com.policy1. '*.example.com.policy1.' nsd $ns5 delete example.com.policy1. '*.example.com.policy1.' -done -for i in 1 2 3 4 5; do + done + for i in 1 2 3 4 5; do nsd $ns5 add '*.example.com.policy1.' example.com.policy1. nsd $ns5 delete '*.example.com.policy1.' example.com.policy1. + done + + echo_i "checking that going from a empty policy zone works" + nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. + sleep 1 + $RNDCCMD $ns7 reload policy2 + $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.ns7 + grep NXDOMAIN dig.out.ns7 > /dev/null || setret I:failed; + + echo_i "checking rpz with delegation fails correctly" + $DIG -p ${PORT} @$ns3 ns example.com > dig.out.delegation + grep "status: SERVFAIL" dig.out.delegation > /dev/null || setret "I:failed" done - -echo_i "checking that going from a empty policy zone works" -nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. -sleep 1 -$RNDCCMD $ns7 reload policy2 -$DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.ns7 -grep NXDOMAIN dig.out.ns7 > /dev/null || setret I:failed; - -echo_i "checking rpz with delegation fails correctly" -$DIG -p ${PORT} @$ns3 ns example.com > dig.out.delegation -grep "status: SERVFAIL" dig.out.delegation > /dev/null || setret "I:failed" +status=`expr ${native:-0} + ${dnsrps:-0}` echo_i "exit status: $status" [ $status -eq 0 ] || exit 1