diff --git a/bin/tests/system/rpz/ns1/root.db b/bin/tests/system/rpz/ns1/root.db index 0abc1a2f99..2e8ce08e69 100644 --- a/bin/tests/system/rpz/ns1/root.db +++ b/bin/tests/system/rpz/ns1/root.db @@ -33,3 +33,8 @@ ns.tld5. A 10.53.0.5 ; generate SERVFAIL servfail NS ns.tld2. + +a-only.example A 1.2.3.4 +no-a-no-aaaa.example TXT placeholder +a-plus-aaaa.example A 1.2.3.4 +a-plus-aaaa.example AAAA ::1 diff --git a/bin/tests/system/rpz/ns9/hints b/bin/tests/system/rpz/ns9/hints new file mode 100644 index 0000000000..28e5850c4f --- /dev/null +++ b/bin/tests/system/rpz/ns9/hints @@ -0,0 +1,11 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns9/named.conf.in b/bin/tests/system/rpz/ns9/named.conf.in new file mode 100644 index 0000000000..123ab95b03 --- /dev/null +++ b/bin/tests/system/rpz/ns9/named.conf.in @@ -0,0 +1,59 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + + +/* + * DNS64 / RPZ server. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + statistics-file "named.stats"; + session-keyfile "session.key"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + notify yes; + minimal-responses no; + recursion yes; + dnssec-validation yes; + dns64-server "example.localdomain."; + dns64 64:ff9b::/96 { }; + response-policy { + zone "rpz"; + } + qname-wait-recurse no ; + + include "../dnsrps.conf"; + notify-delay 0; +}; + +logging { category rpz { default_debug; }; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { type hint; file "hints"; }; + +zone "rpz." { + type master; + file "rpz.db"; + notify no; +}; diff --git a/bin/tests/system/rpz/ns9/rpz.db b/bin/tests/system/rpz/ns9/rpz.db new file mode 100644 index 0000000000..98ebf01ac2 --- /dev/null +++ b/bin/tests/system/rpz/ns9/rpz.db @@ -0,0 +1,5 @@ +rpz. 28800 IN SOA rpz. hostmaster.rpz. 6 10800 3600 2419200 900 +rpz. 28800 IN NS . +a-only.example.rpz. 28800 IN CNAME *. +no-a-no-aaaa.example.rpz. 28800 IN CNAME *. +a-plus-aaaa.example.rpz. 28800 IN CNAME *. diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 3318e33329..bd843a67c6 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -51,6 +51,7 @@ copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf +copy_setports ns9/named.conf.in ns9/named.conf copy_setports dnsrpzd.conf.in dnsrpzd.conf diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 1a035dc486..a85d5dfe1a 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -856,6 +856,33 @@ EOF grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "failed" fi + # RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 senarios. + for label in a-only no-a-no-aaaa a-plus-aaaa + do + for type in AAAA A + do + t=`expr $t + 1` + case $label in + a-only) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})" + ;; + no-a-no-aaaa) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})" + ;; + a-plus-aaaa) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})" + ;; + esac + ret=0 + $DIG ${label}.example -p ${PORT} $type @10.53.0.9 > dig.out.${t} + grep "status: NOERROR" dig.out.$t > /dev/null || ret=1 + grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t > /dev/null || ret=1 + grep "^rpz" dig.out.$t > /dev/null || ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` + done + done + [ $status -ne 0 ] && pf=fail || pf=pass case $mode in native)