upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-18 16:43:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Split up the dnsrps and native variants of rpz system tests

Browse source 
Previously, dnsrps test was executed as an optional part of the rpz and
rpzrecurse system tests. This was conceptually problematic, as the test
took the responsibility of running parts of the test framework -
cleaning files and setting up servers again.

Instead, allow these tests to execute either the native variant, or the
dnsrps one. To ensure the same test coverage, trigger both of these
variants as separate test cases from pytest.
This commit is contained in:
Tom Krizek 2023-10-24 10:36:48 +02:00
parent 1fb6e5cb97
commit cb55fb2cae
No known key found for this signature in database
GPG key ID: 01623B9B652A20A7
8 changed files with 950 additions and 1074 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
bin/tests/system/isctest/mark.py
View file

@ -12,6 +12,7 @@
# information regarding copyright ownership.
import os
from pathlib import Path
import subprocess
import pytest
@ -33,6 +34,19 @@ def feature_test(feature):
return True
DNSRPS_BIN = Path(os.environ["TOP_BUILDDIR"]) / "bin/tests/system/rpz/dnsrps"
def is_dnsrps_available():
if not feature_test("--enable-dnsrps"):
return False
try:
subprocess.run([DNSRPS_BIN, "-a"], check=True)
except subprocess.CalledProcessError:
return False
return True
have_libxml2 = pytest.mark.skipif(
not feature_test("--have-libxml2"), reason="libxml2 support disabled in the build"
)
@ -41,6 +55,10 @@ have_json_c = pytest.mark.skipif(
not feature_test("--have-json-c"), reason="json-c support disabled in the build"
)
dnsrps_enabled = pytest.mark.skipif(
not is_dnsrps_available(), reason="dnsrps disabled in the build"
)
try:
import flaky as flaky_pkg # type: ignore

45
bin/tests/system/rpz/clean.sh
View file

@ -11,29 +11,6 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# Clean up after rpz tests.
USAGE="$0: [-Px]"
DEBUG=
while getopts "Px" c; do
case $c in
x) set -x ;;
P) PARTIAL=set ;;
*)
echo "$USAGE" 1>&2
exit 1
;;
esac
done
shift $((OPTIND - 1))
if test "$#" -ne 0; then
echo "$USAGE" 1>&2
exit 1
fi
# this might be called from setup.sh to partially clean up the files
# from the first test pass so the second pass can be set up correctly.
# remove those files first, then decide whether to remove the others.
rm -f ns*/*.key ns*/*.private
rm -f ns2/tld2s.db */bl.tld2.db */bl.tld2s.db
rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db
@ -44,15 +21,13 @@ rm -f ns8/manual-update-rpz.db
rm -f */policy2.db
rm -f */*.jnl
rm -f dnsrps.cache dnsrps.conf
if [ ${PARTIAL:-unset} = unset ]; then
rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
rm -f ns5/requests ns5/*.perf
rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key
rm -f */*.log */*core */*.pid
rm -f ns*/named.conf
rm -f ns*/*switch
rm -f dnsrps.zones
rm -f ns*/managed-keys.bind*
rm -f tmp
fi
rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
rm -f ns5/requests ns5/*.perf
rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key
rm -f */*.log */*core */*.pid
rm -f ns*/named.lock
rm -f ns*/named.conf
rm -f ns*/*switch
rm -f dnsrps.zones
rm -f ns*/managed-keys.bind*
rm -f tmp

31
bin/tests/system/rpz/setup.sh
View file

@ -19,31 +19,7 @@ set -e
QPERF=$($SHELL qperf.sh)
USAGE="$0: [-DNx]"
DEBUG=
while getopts "DNx" c; do
case $c in
x)
set -x
DEBUG=-x
;;
D) TEST_DNSRPS="-D" ;;
N) PARTIAL=-P ;;
*)
echo "$USAGE" 1>&2
exit 1
;;
esac
done
shift $((OPTIND - 1))
if test "$#" -ne 0; then
echo "$USAGE" 1>&2
exit 1
fi
if [ ${NOCLEAN:-unset} = unset ]; then
$SHELL clean.sh $PARTIAL $DEBUG
fi
$SHELL clean.sh
for dir in ns*; do
touch $dir/named.run
@ -63,10 +39,7 @@ copy_setports ns10/named.conf.in ns10/named.conf
copy_setports dnsrps.zones.in dnsrps.zones
# decide whether to test DNSRPS
# Note that dnsrps.conf is included in named.conf
$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
test -z "$(grep 'testing with DNSRPS' dnsrps.conf)" && TEST_DNSRPS=
touch dnsrps.conf
touch dnsrps.cache
# set up test policy zones.

996
bin/tests/system/rpz/tests.sh
View file

File diff suppressed because it is too large Load diff

26
bin/tests/system/rpz/tests_sh_rpz_dnsrps.py Normal file
View file

@ -0,0 +1,26 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
import isctest.mark
pytestmark = isctest.mark.dnsrps_enabled
def test_rpz_dnsrps(run_tests_sh):
with open("dnsrps.conf", "w", encoding="utf-8") as conf:
conf.writelines(
[
"dnsrps-options { log-level 3 };"
"dnsrps-enable yes;"
'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";'
]
)
run_tests_sh()

28
bin/tests/system/rpzrecurse/setup.sh
View file

@ -17,29 +17,7 @@ set -e
. ../conf.sh
USAGE="$0: [-DNx]"
DEBUG=
while getopts "DNx" c; do
case $c in
x)
set -x
DEBUG=-x
;;
D) TEST_DNSRPS="-D" ;;
N) NOCLEAN=set ;;
*)
echo "$USAGE" 1>&2
exit 1
;;
esac
done
shift $((OPTIND - 1))
if test "$#" -ne 0; then
echo "$USAGE" 1>&2
exit 1
fi
[ ${NOCLEAN:-unset} = unset ] && $SHELL clean.sh $DEBUG
$SHELL clean.sh
$PERL testgen.pl
@ -52,9 +30,7 @@ copy_setports ns3/named1.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
# decide whether to test DNSRPS
$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS=
touch dnsrps.conf
touch dnsrps.cache
# setup policy zones for a 64-zone test

854
bin/tests/system/rpzrecurse/tests.sh
View file

@ -23,17 +23,16 @@ status=0
t=0
export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache
DEBUG=
ARGS=
if grep 'dnsrps-enable yes;' dnsrps.conf >/dev/null; then
MODE=dnsrps
else
MODE=native
fi
USAGE="$0: [-xS]"
while getopts "xS:" c; do
USAGE="$0: [-S]"
while getopts "S:" c; do
case $c in
x)
set -x
DEBUG=-x
ARGS="$ARGS -x"
;;
S)
SAVE_RESULTS=-S
ARGS="$ARGS -S"
@ -136,456 +135,401 @@ add_test_marker() {
done
}
native=0
dnsrps=0
for mode in native dnsrps; do
status=0
case $mode in
native)
if [ -e dnsrps-only ]; then
echo_i "'dnsrps-only' found: skipping native RPZ sub-test"
continue
else
echo_i "running native RPZ sub-test"
fi
;;
dnsrps)
if [ -e dnsrps-off ]; then
echo_i "'dnsrps-off' found: skipping DNSRPS sub-test"
continue
fi
echo_i "attempting to configure servers with DNSRPS..."
stop_server --use-rndc --port ${CONTROLPORT}
$SHELL ./setup.sh -N -D $DEBUG
sed -n 's/^## //p' dnsrps.conf | cat_i
if grep '^#fail' dnsrps.conf >/dev/null; then
echo_i "exit status: 1"
exit 1
fi
if grep '^#skip' dnsrps.conf >/dev/null; then
echo_i "DNSRPS sub-test skipped"
continue
else
echo_i "running DNSRPS sub-test"
start_server --noclean --restart --port ${PORT}
sleep 3
fi
;;
esac
t=$((t + 1))
echo_i "testing that l1.l0 exists without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
# show whether and why DNSRPS is enabled or disabled
sed -n 's/^## //p' dnsrps.conf | cat_i
t=$((t + 1))
echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing that l1.l0 exists without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
# Group 1
run_server 1a
expect_norecurse 1a 1
run_server 1b
expect_norecurse 1b 1
expect_recurse 1b 2
run_server 1c
expect_norecurse 1c 1
t=$((t + 1))
echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
# Group 1
run_server 1a
expect_norecurse 1a 1
run_server 1b
expect_norecurse 1b 1
expect_recurse 1b 2
run_server 1c
expect_norecurse 1c 1
# Group 2
run_server 2a
for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
21 22 23 24 25 26 27 28 29 30 31 32; do
expect_norecurse 2a $n
done
expect_recurse 2a 33
# Group 3
run_server 3a
expect_recurse 3a 1
run_server 3b
expect_recurse 3b 1
run_server 3c
expect_recurse 3c 1
run_server 3d
expect_norecurse 3d 1
expect_recurse 3d 2
run_server 3e
expect_norecurse 3e 1
expect_recurse 3e 2
run_server 3f
expect_norecurse 3f 1
expect_recurse 3f 2
# Group 4
testlist="aa ap bf"
values="1 16 32"
# Uncomment the following to test every skip value instead of
# only a sample of values
#
#testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \
# aq ar as at au av aw ax ay az ba bb bc bd be bf"
#values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
# 21 22 23 24 25 26 27 28 29 30 31 32"
set -- $values
for n in $testlist; do
run_server 4$n
ni=$1
t=$((t + 1))
echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
add_test_marker 10.53.0.2
c=0
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do
run_query 4$n $i || c=$((c + 1))
done
skipped=$((33 - c))
if [ $skipped != $ni ]; then
echo_i "test $t failed (actual=$skipped, expected=$ni)"
status=1
fi
shift
done
# Group 5
run_server 5a
expect_norecurse 5a 1
expect_norecurse 5a 2
expect_recurse 5a 3
expect_recurse 5a 4
expect_recurse 5a 5
expect_recurse 5a 6
# Group 6
echo_i "check recursive behavior consistency during policy update races"
run_server 6a
sleep 1
t=$((t + 1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
sleep 1
echo_i "suspending authority server"
PID=$(cat ns1/named.pid)
kill -STOP $PID
echo_i "adding an NSDNAME policy"
cp ns2/db.6a.00.policy.local ns2/saved.policy.local
cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
t=$((t + 1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
sleep 1
echo_i "removing the NSDNAME policy"
cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
echo_i "resuming authority server"
PID=$(cat ns1/named.pid)
kill -CONT $PID
add_test_marker 10.53.0.1
for n in 1 2 3 4 5 6 7 8 9; do
sleep 1
[ -s dig.out.${t} ] || continue
grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
done
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
echo_i "check recursive behavior consistency during policy removal races"
cp ns2/saved.policy.local ns2/db.6a.00.policy.local
run_server 6a
sleep 1
t=$((t + 1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
sleep 1
echo_i "suspending authority server"
PID=$(cat ns1/named.pid)
kill -STOP $PID
echo_i "adding an NSDNAME policy"
cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
t=$((t + 1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
sleep 1
echo_i "removing the policy zone"
cp ns2/named.default.conf ns2/named.conf
rndc_reconfig ns2 10.53.0.2
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
echo_i "resuming authority server"
PID=$(cat ns1/named.pid)
kill -CONT $PID
add_test_marker 10.53.0.1
for n in 1 2 3 4 5 6 7 8 9; do
sleep 1
[ -s dig.out.${t} ] || continue
grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
done
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
# Check maximum number of RPZ zones (64)
t=$((t + 1))
echo_i "testing maximum number of RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server max
i=1
while test $i -le 64; do
$DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i}
grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer from policy zone $i"
status=1
}
i=$((i + 1))
done
# Check CLIENT-IP behavior
t=$((t + 1))
echo_i "testing CLIENT-IP behavior (${t})"
add_test_marker 10.53.0.2
run_server clientip
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer"
status=1
}
# Check CLIENT-IP behavior #2
t=$((t + 1))
echo_i "testing CLIENT-IP behavior #2 (${t})"
add_test_marker 10.53.0.2
run_server clientip2
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1
grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3
grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4
grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
# Check RPZ log clause
t=$((t + 1))
echo_i "testing RPZ log clause (${t})"
add_test_marker 10.53.0.2
run_server log
cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run)
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" >/dev/null && {
echo_ic "failed: unexpected rewrite message for policy zone log1 was logged"
status=1
}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" >/dev/null || {
echo_ic "failed: expected rewrite message for policy zone log2 was not logged"
status=1
}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" >/dev/null || {
echo_ic "failed: expected rewrite message for policy zone log3 was not logged"
status=1
}
# Check wildcard behavior
t=$((t + 1))
echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
add_test_marker 10.53.0.2
run_server wildcard1
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server wildcard2
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
add_test_marker 10.53.0.2
run_server wildcard3
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard passthru before explicit drop (${t})"
add_test_marker 10.53.0.2
run_server wildcard4
$DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NOERROR" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
if [ "$mode" = "native" ]; then
# Check for invalid prefix length error
t=$((t + 1))
echo_i "testing for invalid prefix length error (${t})"
add_test_marker 10.53.0.2
run_server invalidprefixlength
grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || {
echo_ic "failed: expected that invalid prefix length error would be logged"
status=1
}
fi
if [ "$mode" = "native" ]; then
t=$((t + 1))
echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsip-wait-recurse yes' (default)"
produce_librpz_rules ns3 policy policy
ret=0
t1=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
t2=$($PERL -e 'print time()."\n";')
p1=$((t2 - t1))
echo_i "elapsed time $p1 seconds"
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named2.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
echo_i "timing 'nsip-wait-recurse no'"
echo "update zone policy 0 no_nsip_wait_recurse" >$DNSRPS_TEST_UPDATE_FILE
t3=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
t4=$($PERL -e 'print time()."\n";')
p2=$((t4 - t3))
echo_i "elapsed time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=$((status + ret))
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
# restore original named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
t=$((t + 1))
echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsdname-wait-recurse yes' (default)"
ret=0
t1=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
t2=$($PERL -e 'print time()."\n";')
p1=$((t2 - t1))
echo_i "elapsed time $p1 seconds"
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named3.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
echo_i "timing 'nsdname-wait-recurse no'"
t3=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
t4=$($PERL -e 'print time()."\n";')
p2=$((t4 - t3))
echo_i "elapsed time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=$((status + ret))
fi
[ $status -ne 0 ] && pf=fail || pf=pass
case $mode in
native)
native=$status
echo_i "status (native RPZ sub-test): $status ($pf)"
;;
dnsrps)
dnsrps=$status
echo_i "status (DNSRPS sub-test): $status ($pf)"
;;
*) echo_i "invalid test mode" ;;
esac
# Group 2
run_server 2a
for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
21 22 23 24 25 26 27 28 29 30 31 32; do
expect_norecurse 2a $n
done
status=$((native + dnsrps))
expect_recurse 2a 33
# Group 3
run_server 3a
expect_recurse 3a 1
run_server 3b
expect_recurse 3b 1
run_server 3c
expect_recurse 3c 1
run_server 3d
expect_norecurse 3d 1
expect_recurse 3d 2
run_server 3e
expect_norecurse 3e 1
expect_recurse 3e 2
run_server 3f
expect_norecurse 3f 1
expect_recurse 3f 2
# Group 4
testlist="aa ap bf"
values="1 16 32"
# Uncomment the following to test every skip value instead of
# only a sample of values
#
#testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \
# aq ar as at au av aw ax ay az ba bb bc bd be bf"
#values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
# 21 22 23 24 25 26 27 28 29 30 31 32"
set -- $values
for n in $testlist; do
run_server 4$n
ni=$1
t=$((t + 1))
echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
add_test_marker 10.53.0.2
c=0
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do
run_query 4$n $i || c=$((c + 1))
done
skipped=$((33 - c))
if [ $skipped != $ni ]; then
echo_i "test $t failed (actual=$skipped, expected=$ni)"
status=1
fi
shift
done
# Group 5
run_server 5a
expect_norecurse 5a 1
expect_norecurse 5a 2
expect_recurse 5a 3
expect_recurse 5a 4
expect_recurse 5a 5
expect_recurse 5a 6
# Group 6
echo_i "check recursive behavior consistency during policy update races"
run_server 6a
sleep 1
t=$((t + 1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
sleep 1
echo_i "suspending authority server"
PID=$(cat ns1/named.pid)
kill -STOP $PID
echo_i "adding an NSDNAME policy"
cp ns2/db.6a.00.policy.local ns2/saved.policy.local
cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
t=$((t + 1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
sleep 1
echo_i "removing the NSDNAME policy"
cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
echo_i "resuming authority server"
PID=$(cat ns1/named.pid)
kill -CONT $PID
add_test_marker 10.53.0.1
for n in 1 2 3 4 5 6 7 8 9; do
sleep 1
[ -s dig.out.${t} ] || continue
grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
done
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
echo_i "check recursive behavior consistency during policy removal races"
cp ns2/saved.policy.local ns2/db.6a.00.policy.local
run_server 6a
sleep 1
t=$((t + 1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
sleep 1
echo_i "suspending authority server"
PID=$(cat ns1/named.pid)
kill -STOP $PID
echo_i "adding an NSDNAME policy"
cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
t=$((t + 1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
sleep 1
echo_i "removing the policy zone"
cp ns2/named.default.conf ns2/named.conf
rndc_reconfig ns2 10.53.0.2
test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
sleep 1
echo_i "resuming authority server"
PID=$(cat ns1/named.pid)
kill -CONT $PID
add_test_marker 10.53.0.1
for n in 1 2 3 4 5 6 7 8 9; do
sleep 1
[ -s dig.out.${t} ] || continue
grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
done
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test ${t} failed"
status=1
}
# Check maximum number of RPZ zones (64)
t=$((t + 1))
echo_i "testing maximum number of RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server max
i=1
while test $i -le 64; do
$DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i}
grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer from policy zone $i"
status=1
}
i=$((i + 1))
done
# Check CLIENT-IP behavior
t=$((t + 1))
echo_i "testing CLIENT-IP behavior (${t})"
add_test_marker 10.53.0.2
run_server clientip
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer"
status=1
}
# Check CLIENT-IP behavior #2
t=$((t + 1))
echo_i "testing CLIENT-IP behavior #2 (${t})"
add_test_marker 10.53.0.2
run_server clientip2
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1
grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3
grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || {
echo_i "test $t failed: didn't get expected answer"
status=1
}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4
grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || {
echo_i "test $t failed: query failed"
status=1
}
# Check RPZ log clause
t=$((t + 1))
echo_i "testing RPZ log clause (${t})"
add_test_marker 10.53.0.2
run_server log
cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run)
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t}
$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" >/dev/null && {
echo_ic "failed: unexpected rewrite message for policy zone log1 was logged"
status=1
}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" >/dev/null || {
echo_ic "failed: expected rewrite message for policy zone log2 was not logged"
status=1
}
sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" >/dev/null || {
echo_ic "failed: expected rewrite message for policy zone log3 was not logged"
status=1
}
# Check wildcard behavior
t=$((t + 1))
echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
add_test_marker 10.53.0.2
run_server wildcard1
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server wildcard2
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
add_test_marker 10.53.0.2
run_server wildcard3
$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
t=$((t + 1))
echo_i "testing wildcard passthru before explicit drop (${t})"
add_test_marker 10.53.0.2
run_server wildcard4
$DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
grep "status: NOERROR" dig.out.${t}.1 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
echo_i "test ${t} failed"
status=1
}
if [ "$MODE" = "native" ]; then
# Check for invalid prefix length error
t=$((t + 1))
echo_i "testing for invalid prefix length error (${t})"
add_test_marker 10.53.0.2
run_server invalidprefixlength
grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || {
echo_ic "failed: expected that invalid prefix length error would be logged"
status=1
}
fi
if [ "$MODE" = "native" ]; then
t=$((t + 1))
echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsip-wait-recurse yes' (default)"
produce_librpz_rules ns3 policy policy
ret=0
t1=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
t2=$($PERL -e 'print time()."\n";')
p1=$((t2 - t1))
echo_i "elapsed time $p1 seconds"
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named2.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
echo_i "timing 'nsip-wait-recurse no'"
echo "update zone policy 0 no_nsip_wait_recurse" >$DNSRPS_TEST_UPDATE_FILE
t3=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
t4=$($PERL -e 'print time()."\n";')
p2=$((t4 - t3))
echo_i "elapsed time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=$((status + ret))
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
# restore original named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
t=$((t + 1))
echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsdname-wait-recurse yes' (default)"
ret=0
t1=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
t2=$($PERL -e 'print time()."\n";')
p1=$((t2 - t1))
echo_i "elapsed time $p1 seconds"
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named3.conf.in ns3/named.conf
nextpart ns3/named.run >/dev/null
$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
echo_i "timing 'nsdname-wait-recurse no'"
t3=$($PERL -e 'print time()."\n";')
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
t4=$($PERL -e 'print time()."\n";')
p2=$((t4 - t3))
echo_i "elapsed time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=$((status + ret))
fi
[ $status -eq 0 ] || exit 1

26
bin/tests/system/rpzrecurse/tests_sh_rpzrecurse_dnsrps.py Normal file
View file

@ -0,0 +1,26 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
import isctest.mark
pytestmark = isctest.mark.dnsrps_enabled
def test_rpzrecurse_dnsrps(run_tests_sh):
with open("dnsrps.conf", "w", encoding="utf-8") as conf:
conf.writelines(
[
"dnsrps-options { log-level 3 };"
"dnsrps-enable yes;"
'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";'
]
)
run_tests_sh()