diff --git a/bin/tests/system/isctest/mark.py b/bin/tests/system/isctest/mark.py index 769abbbb5d..0caac51af5 100644 --- a/bin/tests/system/isctest/mark.py +++ b/bin/tests/system/isctest/mark.py @@ -12,6 +12,7 @@ # information regarding copyright ownership. import os +from pathlib import Path import subprocess import pytest @@ -33,6 +34,19 @@ def feature_test(feature): return True +DNSRPS_BIN = Path(os.environ["TOP_BUILDDIR"]) / "bin/tests/system/rpz/dnsrps" + + +def is_dnsrps_available(): + if not feature_test("--enable-dnsrps"): + return False + try: + subprocess.run([DNSRPS_BIN, "-a"], check=True) + except subprocess.CalledProcessError: + return False + return True + + have_libxml2 = pytest.mark.skipif( not feature_test("--have-libxml2"), reason="libxml2 support disabled in the build" ) @@ -41,6 +55,10 @@ have_json_c = pytest.mark.skipif( not feature_test("--have-json-c"), reason="json-c support disabled in the build" ) +dnsrps_enabled = pytest.mark.skipif( + not is_dnsrps_available(), reason="dnsrps disabled in the build" +) + try: import flaky as flaky_pkg # type: ignore diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh index 2515183499..a2127e0e3d 100644 --- a/bin/tests/system/rpz/clean.sh +++ b/bin/tests/system/rpz/clean.sh @@ -11,29 +11,6 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -# Clean up after rpz tests. - -USAGE="$0: [-Px]" -DEBUG= -while getopts "Px" c; do - case $c in - x) set -x ;; - P) PARTIAL=set ;; - *) - echo "$USAGE" 1>&2 - exit 1 - ;; - esac -done -shift $((OPTIND - 1)) -if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 -fi - -# this might be called from setup.sh to partially clean up the files -# from the first test pass so the second pass can be set up correctly. -# remove those files first, then decide whether to remove the others. rm -f ns*/*.key ns*/*.private rm -f ns2/tld2s.db */bl.tld2.db */bl.tld2s.db rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db @@ -44,15 +21,13 @@ rm -f ns8/manual-update-rpz.db rm -f */policy2.db rm -f */*.jnl rm -f dnsrps.cache dnsrps.conf - -if [ ${PARTIAL:-unset} = unset ]; then - rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp - rm -f ns5/requests ns5/*.perf - rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key - rm -f */*.log */*core */*.pid - rm -f ns*/named.conf - rm -f ns*/*switch - rm -f dnsrps.zones - rm -f ns*/managed-keys.bind* - rm -f tmp -fi +rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp +rm -f ns5/requests ns5/*.perf +rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key +rm -f */*.log */*core */*.pid +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f ns*/*switch +rm -f dnsrps.zones +rm -f ns*/managed-keys.bind* +rm -f tmp diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 2f71d2de66..df77946d51 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -19,31 +19,7 @@ set -e QPERF=$($SHELL qperf.sh) -USAGE="$0: [-DNx]" -DEBUG= -while getopts "DNx" c; do - case $c in - x) - set -x - DEBUG=-x - ;; - D) TEST_DNSRPS="-D" ;; - N) PARTIAL=-P ;; - *) - echo "$USAGE" 1>&2 - exit 1 - ;; - esac -done -shift $((OPTIND - 1)) -if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 -fi - -if [ ${NOCLEAN:-unset} = unset ]; then - $SHELL clean.sh $PARTIAL $DEBUG -fi +$SHELL clean.sh for dir in ns*; do touch $dir/named.run @@ -63,10 +39,7 @@ copy_setports ns10/named.conf.in ns10/named.conf copy_setports dnsrps.zones.in dnsrps.zones -# decide whether to test DNSRPS -# Note that dnsrps.conf is included in named.conf -$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG -test -z "$(grep 'testing with DNSRPS' dnsrps.conf)" && TEST_DNSRPS= +touch dnsrps.conf touch dnsrps.cache # set up test policy zones. diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 5c0fe8beca..d9b75e1bc6 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -38,18 +38,17 @@ status=0 t=0 export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache -DEBUG= SAVE_RESULTS= ARGS= +if grep 'dnsrps-enable yes;' dnsrps.conf >/dev/null; then + MODE=dnsrps +else + MODE=native +fi -USAGE="$0: [-xS]" -while getopts "xS:" c; do +USAGE="$0: [-S]" +while getopts "S:" c; do case $c in - x) - set -x - DEBUG=-x - ARGS="$ARGS -x" - ;; S) SAVE_RESULTS=-S ARGS="$ARGS -S" @@ -144,7 +143,7 @@ get_sn_fast() { # $2=DNS server IP address FZONES=$(sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrps.zones) dnsrps_loaded() { - test "$mode" = dnsrps || return 0 + test "$MODE" = dnsrps || return 0 n=0 for V in $FZONES; do eval "$V" @@ -173,7 +172,7 @@ dnsrps_loaded() { ck_soa() { n=0 while true; do - if test "$mode" = dnsrps; then + if test "$MODE" = dnsrps; then get_sn_fast "$2" test "$RSN" -eq "$1" && return else @@ -260,11 +259,6 @@ ckalive() { return 0 } -resetstats() { - NSDIR=$1 - eval "${NSDIR}_CNT=''" -} - ckstats() { HOST=$1 LABEL="$2" @@ -500,540 +494,484 @@ make_proto_nodata() { # ensure that the fast-expire zone is populated before we begin testing $RNDCCMD $ns3 retransfer fast-expire -native=0 -dnsrps=0 -for mode in native dnsrps; do - status=0 - case ${mode} in - native) - if [ -e dnsrps-only ]; then - echo_i "'dnsrps-only' found: skipping native RPZ sub-test" - continue - else - echo_i "running native RPZ sub-test" - fi - ;; - dnsrps) - if [ -e dnsrps-off ]; then - echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" - continue - fi - echo_i "attempting to configure servers with DNSRPS..." - stop_server --use-rndc --port ${CONTROLPORT} - $SHELL ./setup.sh -N -D $DEBUG - for server in ns*; do - resetstats $server - done - sed -n 's/^## //p' dnsrps.conf | cat_i - if grep '^#fail' dnsrps.conf >/dev/null; then - echo_i "exit status: 1" - exit 1 - fi - if grep '^#skip' dnsrps.conf >/dev/null; then - echo_i "DNSRPS sub-test skipped" - continue - else - echo_i "running DNSRPS sub-test" - start_server --noclean --restart --port ${PORT} - sleep 3 - fi - ;; - esac +# make prototype files to check against rewritten results +retry_quiet 10 make_proto_nxdomain +retry_quiet 10 make_proto_nodata - # make prototype files to check against rewritten results - retry_quiet 10 make_proto_nxdomain - retry_quiet 10 make_proto_nodata +start_group "QNAME rewrites" test1 - start_group "QNAME rewrites" test1 - - nochange . # 1 do not crash or rewrite root - nxdomain a0-1.tld2 # 2 - nodata a3-1.tld2 # 3 - nodata a3-2.tld2 # 4 nodata at DNAME itself - nochange sub.a3-2.tld2 # 5 miss where DNAME might work - nxdomain a4-2.tld2 # 6 rewrite based on CNAME target - nxdomain a4-2-cname.tld2 # 7 - nodata a4-3-cname.tld2 # 8 - addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement - addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard - addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME - addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain - addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone - nochange a6-1.tld2 # 14 - addr 127.6.2.1 a6-2.tld2 # 15 - addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME - addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME - addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain - addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain - nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required - nochange a5-3.tld2 +norecurse # 21 - nochange a5-4.tld2 +norecurse # 22 - nochange sub.a5-4.tld2 +norecurse # 23 - nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c - nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures - nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures - nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures - nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain - nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain - nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record - nxdomain a0-1.tld2s srv +nodnssec # 31 - drop a3-8.tld2 any # 32 drop - nochange TCP a3-9.tld2 # 33 tcp-only - here x.servfail <<'EOF' # 34 qname-wait-recurse yes +nochange . # 1 do not crash or rewrite root +nxdomain a0-1.tld2 # 2 +nodata a3-1.tld2 # 3 +nodata a3-2.tld2 # 4 nodata at DNAME itself +nochange sub.a3-2.tld2 # 5 miss where DNAME might work +nxdomain a4-2.tld2 # 6 rewrite based on CNAME target +nxdomain a4-2-cname.tld2 # 7 +nodata a4-3-cname.tld2 # 8 +addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement +addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard +addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME +addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain +addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone +nochange a6-1.tld2 # 14 +addr 127.6.2.1 a6-2.tld2 # 15 +addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME +addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME +addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain +addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain +nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required +nochange a5-3.tld2 +norecurse # 21 +nochange a5-4.tld2 +norecurse # 22 +nochange sub.a5-4.tld2 +norecurse # 23 +nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c +nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures +nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures +nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures +nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain +nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain +nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record +nxdomain a0-1.tld2s srv +nodnssec # 31 +drop a3-8.tld2 any # 32 drop +nochange TCP a3-9.tld2 # 33 tcp-only +here x.servfail <<'EOF' # 34 qname-wait-recurse yes ;; status: SERVFAIL, x EOF - addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no - end_group - ckstats $ns3 test1 ns3 22 - ckstats $ns5 test1 ns5 1 - ckstats $ns6 test1 ns6 0 +addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no +end_group +ckstats $ns3 test1 ns3 22 +ckstats $ns5 test1 ns5 1 +ckstats $ns6 test1 ns6 0 - start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 - nxdomain a0-1.tld2 @$ns6 # 1 - nodata a3-1.tld2 @$ns6 # 2 - nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself - nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target - nxdomain a4-2-cname.tld2 @$ns6 # 5 - nodata a4-3-cname.tld2 @$ns6 # 6 - addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement - addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard - addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone - addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME - addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain - addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 - addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME - addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME - addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain - addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain - nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c - nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs - nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 - drop a3-8.tld2 any @$ns6 # 20 drop - end_group - ckstatsrange $ns3 test1 ns3 22 30 - ckstats $ns5 test1 ns5 0 - ckstats $ns6 test1 ns6 0 +start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 +nxdomain a0-1.tld2 @$ns6 # 1 +nodata a3-1.tld2 @$ns6 # 2 +nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself +nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target +nxdomain a4-2-cname.tld2 @$ns6 # 5 +nodata a4-3-cname.tld2 @$ns6 # 6 +addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement +addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard +addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone +addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME +addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain +addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 +addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME +addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME +addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain +addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain +nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c +nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs +nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 +drop a3-8.tld2 any @$ns6 # 20 drop +end_group +ckstatsrange $ns3 test1 ns3 22 30 +ckstats $ns5 test1 ns5 0 +ckstats $ns6 test1 ns6 0 - start_group "IP rewrites" test2 - nodata a3-1.tld2 # 1 NODATA - nochange a3-2.tld2 # 2 no policy record so no change - nochange a4-1.tld2 # 3 obsolete PASSTHRU record style - nxdomain a4-2.tld2 # 4 - nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite - nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite - nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite - nodata a4-3.tld2 # 8 - nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy - nochange a4-1-aaaa.tld2 -taaaa # 10 - addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address - addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone - nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 - addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP - nochange a4-4.tld2 # 15 PASSTHRU - nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c - addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger - nxdomain a7-1.tld2 # 18 secondary policy zone (RT34450) - # updating an response zone policy - cp ns2/blv2.tld2.db.in ns2/bl.tld2.db - rndc_reload ns2 $ns2 bl.tld2 - add_librpz_rule "update zone bl.tld2 1 inc" - ck_soa 2 bl.tld2 $ns3 - add_librpz_rule "wipe" - produce_librpz_rules ns2 bl.tld2 bl.tld2 - nochange a7-1.tld2 # 19 PASSTHRU - # ensure that a clock tick has occurred so that named will do the reload - sleep 1 - cp ns2/blv3.tld2.db.in ns2/bl.tld2.db - rndc_reload ns2 $ns2 bl.tld2 - add_librpz_rule "update zone bl.tld2 1 inc" - ck_soa 3 bl.tld2 $ns3 - produce_librpz_rules ns2 bl.tld2 bl.tld2 - nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450) - end_group - ckstats $ns3 test2 ns3 12 +start_group "IP rewrites" test2 +nodata a3-1.tld2 # 1 NODATA +nochange a3-2.tld2 # 2 no policy record so no change +nochange a4-1.tld2 # 3 obsolete PASSTHRU record style +nxdomain a4-2.tld2 # 4 +nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite +nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite +nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite +nodata a4-3.tld2 # 8 +nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy +nochange a4-1-aaaa.tld2 -taaaa # 10 +addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address +addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone +nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 +addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP +nochange a4-4.tld2 # 15 PASSTHRU +nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c +addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger +nxdomain a7-1.tld2 # 18 secondary policy zone (RT34450) +# updating an response zone policy +cp ns2/blv2.tld2.db.in ns2/bl.tld2.db +rndc_reload ns2 $ns2 bl.tld2 +add_librpz_rule "update zone bl.tld2 1 inc" +ck_soa 2 bl.tld2 $ns3 +add_librpz_rule "wipe" +produce_librpz_rules ns2 bl.tld2 bl.tld2 +nochange a7-1.tld2 # 19 PASSTHRU +# ensure that a clock tick has occurred so that named will do the reload +sleep 1 +cp ns2/blv3.tld2.db.in ns2/bl.tld2.db +rndc_reload ns2 $ns2 bl.tld2 +add_librpz_rule "update zone bl.tld2 1 inc" +ck_soa 3 bl.tld2 $ns3 +produce_librpz_rules ns2 bl.tld2 bl.tld2 +nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450) +end_group +ckstats $ns3 test2 ns3 12 - # check that IP addresses for previous group were deleted from the radix tree - start_group "radix tree deletions" - nochange a3-1.tld2 - nochange a3-2.tld2 - nochange a4-1.tld2 - nochange a4-2.tld2 - nochange a4-2.tld2 -taaaa - nochange a4-2.tld2 -ttxt - nochange a4-2.tld2 -tany - nochange a4-3.tld2 - nochange a3-1.tld2 -tAAAA - nochange a4-1-aaaa.tld2 -tAAAA - nochange a5-1-2.tld2 - end_group - ckstats $ns3 'radix tree deletions' ns3 0 +# check that IP addresses for previous group were deleted from the radix tree +start_group "radix tree deletions" +nochange a3-1.tld2 +nochange a3-2.tld2 +nochange a4-1.tld2 +nochange a4-2.tld2 +nochange a4-2.tld2 -taaaa +nochange a4-2.tld2 -ttxt +nochange a4-2.tld2 -tany +nochange a4-3.tld2 +nochange a3-1.tld2 -tAAAA +nochange a4-1-aaaa.tld2 -tAAAA +nochange a5-1-2.tld2 +end_group +ckstats $ns3 'radix tree deletions' ns3 0 - # these tests assume "min-ns-dots 0" - start_group "NSDNAME rewrites" test3 - nextpart ns3/named.run >/dev/null - nochange a3-1.tld2 # 1 - nochange a3-1.tld2 +dnssec # 2 this once caused problems - nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME - nxdomain a3-1.subsub.sub1.tld2 # 4 - nxdomain a3-1.subsub.sub1.tld2 -tany # 5 - addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 - nochange a3-2.tld2. # 7 exempt rewrite by name - nochange a0-1.tld2. # 8 exempt rewrite by address block - addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME - addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME - addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11 - nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash +# these tests assume "min-ns-dots 0" +start_group "NSDNAME rewrites" test3 +nextpart ns3/named.run >/dev/null +nochange a3-1.tld2 # 1 +nochange a3-1.tld2 +dnssec # 2 this once caused problems +nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME +nxdomain a3-1.subsub.sub1.tld2 # 4 +nxdomain a3-1.subsub.sub1.tld2 -tany # 5 +addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 +nochange a3-2.tld2. # 7 exempt rewrite by name +nochange a0-1.tld2. # 8 exempt rewrite by address block +addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME +addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME +addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11 +nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash - nxdomain a3-1.stub # 13 - nxdomain a3-1.static-stub # 14 - nochange_ns10 a3-1.stub-nomatch # 15 - nochange_ns10 a3-1.static-stub-nomatch # 16 - nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \ - && setret "seen: unrecognized NS rpz_rrset_find() failed: glue" - end_group - ckstats $ns3 test3 ns3 9 +nxdomain a3-1.stub # 13 +nxdomain a3-1.static-stub # 14 +nochange_ns10 a3-1.stub-nomatch # 15 +nochange_ns10 a3-1.static-stub-nomatch # 16 +nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \ + && setret "seen: unrecognized NS rpz_rrset_find() failed: glue" +end_group +ckstats $ns3 test3 ns3 9 - # these tests assume "min-ns-dots 0" - start_group "NSIP rewrites" test4 - nextpart ns3/named.run >/dev/null - nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 - nochange a3-2.tld2. # 2 exempt rewrite by name - nochange a0-1.tld2. # 3 exempt rewrite by address block - nochange a3-1.tld4 # 4 different NS IP address - nxdomain a4-1.stub # 5 - nxdomain a4-1.static-stub # 6 - nochange_ns10 a4-1.stub-nomatch # 7 - nochange_ns10 a4-1.static-stub-nomatch # 8 - nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \ - && setret "seen: unrecognized NS rpz_rrset_find() failed: glue" - end_group +# these tests assume "min-ns-dots 0" +start_group "NSIP rewrites" test4 +nextpart ns3/named.run >/dev/null +nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 +nochange a3-2.tld2. # 2 exempt rewrite by name +nochange a0-1.tld2. # 3 exempt rewrite by address block +nochange a3-1.tld4 # 4 different NS IP address +nxdomain a4-1.stub # 5 +nxdomain a4-1.static-stub # 6 +nochange_ns10 a4-1.stub-nomatch # 7 +nochange_ns10 a4-1.static-stub-nomatch # 8 +nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \ + && setret "seen: unrecognized NS rpz_rrset_find() failed: glue" +end_group - start_group "walled garden NSIP rewrites" test4a - addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 - addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 - here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 +start_group "walled garden NSIP rewrites" test4a +addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 +addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 +here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 ;; status: NOERROR, x a3-1.tld2. x IN TXT "NSIP walled garden" EOF - end_group - ckstats $ns3 test4 ns3 6 +end_group +ckstats $ns3 test4 ns3 6 - # policies in ./test5 overridden by response-policy{} in ns3/named.conf - # and in ns5/named.conf - start_group "policy overrides" test5 - addr 127.0.0.1 a3-1.tld2 # 1 bl-given - nochange a3-2.tld2 # 2 bl-passthru - nochange a3-3.tld2 # 3 bl-no-op (obsolete for passthru) - nochange a3-4.tld2 # 4 bl-disabled - nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no - nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no - nodata a3-5.tld2 # 7 bl-nodata not needed - nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no - nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec - nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec - nxdomain a3-6.tld2 # 11 bl-nxdomain - here a3-7.tld2 -tany <<'EOF' # 12 +# policies in ./test5 overridden by response-policy{} in ns3/named.conf +# and in ns5/named.conf +start_group "policy overrides" test5 +addr 127.0.0.1 a3-1.tld2 # 1 bl-given +nochange a3-2.tld2 # 2 bl-passthru +nochange a3-3.tld2 # 3 bl-no-op (obsolete for passthru) +nochange a3-4.tld2 # 4 bl-disabled +nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no +nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no +nodata a3-5.tld2 # 7 bl-nodata not needed +nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no +nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec +nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec +nxdomain a3-6.tld2 # 11 bl-nxdomain +here a3-7.tld2 -tany <<'EOF' # 12 ;; status: NOERROR, x a3-7.tld2. x IN CNAME txt-only.tld2. txt-only.tld2. x IN TXT "txt-only-tld2" EOF - addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname - addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname - addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 - addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 - addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 - drop a3-18.tld2 any # 18 bl-drop - nxdomain TCP a3-19.tld2 # 19 bl-tcp-only - end_group - ckstats $ns3 test5 ns3 12 - ckstats $ns5 test5 ns5 4 +addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname +addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname +addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 +addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 +addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 +drop a3-18.tld2 any # 18 bl-drop +nxdomain TCP a3-19.tld2 # 19 bl-tcp-only +end_group +ckstats $ns3 test5 ns3 12 +ckstats $ns5 test5 ns5 4 - # check that miscellaneous bugs are still absent - add_librpz_rule "wipe" - start_group "crashes" test6 - for Q in RRSIG SIG ANY 'ANY +dnssec'; do - nocrash a3-1.tld2 -t$Q - nocrash a3-2.tld2 -t$Q - nocrash a3-5.tld2 -t$Q - nocrash www.redirect -t$Q - nocrash www.credirect -t$Q - done - - # This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip - # (or whatever) is available by publishing "foo A 10.2.3.4" and then - # resolving foo. - # nxdomain 32.3.2.1.127.rpz-ip - end_group - ckstats $ns3 bugs ns3 8 - - # superficial test for major performance bugs - QPERF=$(sh qperf.sh) - if test -n "$QPERF"; then - perf() { - date "+${TS}checking performance $1" | cat_i - # Dry run to prime everything - comment "before dry run $1" - $RNDCCMD $ns5 notrace - $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >/dev/null - comment "before real test $1" - PFILE="ns5/$2.perf" - $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >$PFILE - comment "after test $1" - X=$(sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \ - | tr '\n' ' ') - if test "$X" != "$3"; then - setret "wrong results '$X' in $PFILE" - fi - ckalive $ns5 "failed; server #5 crashed" - } - trim() { - sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf - } - - # get qps with rpz - perf 'with RPZ' rpz 'NOERROR:2900 NXDOMAIN:100 ' - RPZ=$(trim rpz) - # turn off rpz and measure qps again - echo "# RPZ off" >ns5/rpz-switch - RNDCCMD_OUT=$($RNDCCMD $ns5 reload) - perf 'without RPZ' norpz 'NOERROR:3000 ' - NORPZ=$(trim norpz) - - PERCENT=$(((RPZ * 100 + (NORPZ / 2)) / NORPZ)) - echo_i "$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ" - - MIN_PERCENT=30 - if test "$PERCENT" -lt $MIN_PERCENT; then - echo_i "$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps" - fi - - if test "$PERCENT" -ge 100; then - echo_i "$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high" - fi - - ckstats $ns5 performance ns5 200 - - else - echo_i "performance not checked; queryperf not available" - fi - - # Ensure ns3 manages to transfer the fast-expire zone before shutdown. - nextpartreset ns3/named.run - wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run - - # reconfigure the ns5 primary server without the fast-expire zone, so - # it can't be refreshed on ns3, and will expire in 5 seconds. - cat /dev/null >ns5/expire.conf - rndc_reconfig ns5 10.53.0.5 - - # restart the main test RPZ server to see if that creates a core file - if test -z "$HAVE_CORE"; then - stop_server --use-rndc --port ${CONTROLPORT} ns3 - add_librpz_rule "restart" - restart 3 "rebuild-bl-rpz" - HAVE_CORE=$(find ns* -name '*core*' -print) - test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?" - fi - - # look for complaints from lib/dns/rpz.c and bin/name/query.c - for runfile in ns*/named.run; do - EMSGS=$(nextpart $runfile | grep -E -l 'invalid rpz|rpz.*failed' || true) - if test -n "$EMSGS"; then - setret "error messages in $runfile starting with:" - grep -E 'invalid rpz|rpz.*failed' ns*/named.run \ - | sed -e '10,$d' -e 's/^//' | cat_i - fi - done - - if [ native = "$mode" ]; then - # restart the main test RPZ server with a bad zone. - t=$((t + 1)) - echo_i "checking that ns3 with broken rpz does not crash (${t})" - stop_server --use-rndc --port ${CONTROLPORT} ns3 - cp ns3/broken.db.in ns3/bl.db - restart 3 # do not rebuild rpz zones - nocrash a3-1.tld2 -tA - stop_server --use-rndc --port ${CONTROLPORT} ns3 - restart 3 "rebuild-bl-rpz" - - t=$((t + 1)) - echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})" - sed -e "s/^#BAD//" ns3/named.conf.tmp - copy_setports ns3/named.conf.tmp ns3/named.conf - rm ns3/named.conf.tmp - $RNDCCMD $ns3 reconfig >/dev/null 2>&1 && setret "failed" - sleep 1 - copy_setports ns3/named.conf.in ns3/named.conf - $RNDCCMD $ns3 reconfig || setret "failed" - - t=$((t + 1)) - echo_i "checking the configured extended DNS error code (EDE) (${t})" - $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t || setret "failed" - grep -F "EDE: 4 (Forged Answer)" dig.out.$t >/dev/null || setret "failed" - - # reload a RPZ zone that is now deliberately broken. - t=$((t + 1)) - echo_i "checking rpz failed update will keep previous rpz rules (${t})" - $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.before || setret "failed" - grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.before >/dev/null || setret "failed" - cp ns3/broken.db.in ns3/manual-update-rpz.db - rndc_reload ns3 $ns3 manual-update-rpz - sleep 1 - # ensure previous RPZ rules still apply. - $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after || setret "failed" - grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed" - - t=$((t + 1)) - echo_i "checking the default (unset) extended DNS error code (EDE) (${t})" - $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t || setret "failed" - grep -F "EDE: " dig.out.$t >/dev/null && setret "failed" - - t=$((t + 1)) - echo_i "checking reload of a mixed-case RPZ zone (${t})" - # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should - # cause a6-2.tld2 NOERROR answers to be rewritten to NXDOMAIN answers. - $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.before || setret "failed" - grep "status: NXDOMAIN" dig.out.$t.before >/dev/null || setret "failed" - # Add a sibling name (a6-1.tld2.mixed-case-rpz, with "tld2" in lowercase - # rather than uppercase) before A6-2.TLD.mixed-case-rpz. - nextpart ns3/named.run >/dev/null - cp ns3/mixed-case-rpz-2.db.in ns3/mixed-case-rpz.db - rndc_reload ns3 $ns3 mixed-case-rpz - wait_for_log 20 "rpz: mixed-case-rpz: reload done" ns3/named.run - # a6-2.tld2 NOERROR answers should still be rewritten to NXDOMAIN answers. - # (The bug we try to trigger here caused a6-2.tld2.mixed-case-rpz to be - # erroneously removed from the summary RPZ database after reload.) - $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.after || setret "failed" - grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed" - fi - - t=$((t + 1)) - echo_i "checking that ttl values are not zeroed when qtype is '*' (${t})" - $DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 >dig.out.$t || setret "failed" - ttl=$(awk '/a3-2 tld2 text/ {print $2}' dig.out.$t) - if test ${ttl:=0} -eq 0; then setret "failed"; fi - - t=$((t + 1)) - echo_i "checking rpz updates/transfers with parent nodes added after children (${t})" - # regression test for RT #36272: the success condition - # is the secondary server not crashing. - for i in 1 2 3 4 5; do - nsd $ns5 add example.com.policy1. '*.example.com.policy1.' - nsd $ns5 delete example.com.policy1. '*.example.com.policy1.' - done - for i in 1 2 3 4 5; do - nsd $ns5 add '*.example.com.policy1.' example.com.policy1. - nsd $ns5 delete '*.example.com.policy1.' example.com.policy1. - done - - t=$((t + 1)) - echo_i "checking that going from an empty policy zone works (${t})" - nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. - add_librpz_rule "update add *.x.servfail.policy2 300 CNAME ." - sleep 1 - rndc_reload ns7 $ns7 policy2 - $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed" - grep NXDOMAIN dig.out.${t} >/dev/null || setret "failed" - - t=$((t + 1)) - echo_i "checking that 'ede none' works same way as when \"ede\" is unset (${t})" - $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed" - grep -F "EDE: " dig.out.${t} >/dev/null && setret "failed" - - t=$((t + 1)) - echo_i "checking that 'add-soa no' at rpz zone level works (${t})" - $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed" - grep SOA dig.out.${t} >/dev/null && setret "failed" - - if [ native = "$mode" ]; then - t=$((t + 1)) - echo_i "checking that 'add-soa yes' at response-policy level works (${t})" - $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} || setret "failed" - grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed" - fi - - if [ native = "$mode" ]; then - t=$((t + 1)) - echo_i "reconfiguring server with 'add-soa no' (${t})" - cp ns3/named.conf ns3/named.conf.tmp - sed -e "s/add-soa yes/add-soa no/g" ns3/named.conf - rndc_reconfig ns3 $ns3 - echo_i "checking that 'add-soa no' at response-policy level works (${t})" - $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} || setret "failed" - grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null && setret "failed" - fi - - if [ native = "$mode" ]; then - t=$((t + 1)) - echo_i "checking that 'add-soa unset' works (${t})" - $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 >dig.out.${t} || setret "failed" - grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed" - fi - - # dnsrps does not allow NS RRs in policy zones, so this check - # with dnsrps results in no rewriting. - if [ native = "$mode" ]; then - t=$((t + 1)) - echo_i "checking rpz with delegation fails correctly (${t})" - $DIG -p ${PORT} @$ns3 ns example.com >dig.out.$t || setret "failed" - grep "status: SERVFAIL" dig.out.$t >/dev/null || setret "failed" - - t=$((t + 1)) - echo_i "checking policies from expired zone are no longer in effect ($t)" - $DIG -p ${PORT} @$ns3 a expired >dig.out.$t || setret "failed" - grep "expired.*10.0.0.10" dig.out.$t >/dev/null && setret "failed" - grep "fast-expire/IN: response-policy zone expired" ns3/named.run >/dev/null || setret "failed" - fi - - # RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 scenarios. - produce_librpz_rules ns9 rpz rpz - for label in a-only no-a-no-aaaa a-plus-aaaa; do - for type in AAAA A; do - t=$((t + 1)) - case $label in - a-only) - echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})" - ;; - no-a-no-aaaa) - echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})" - ;; - a-plus-aaaa) - echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})" - ;; - esac - ret=0 - $DIG ${label}.example -p ${PORT} $type @10.53.0.9 >dig.out.${t} || setret "failed" - grep "status: NOERROR" dig.out.$t >/dev/null || ret=1 - grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t >/dev/null || ret=1 - grep "^rpz" dig.out.$t >/dev/null || ret=1 - [ $ret -eq 0 ] || echo_i "failed" - status=$((status + ret)) - done - done - - if [ native = "$mode" ]; then - t=$((t + 1)) - echo_i "checking that rewriting CD=1 queries handles pending data correctly (${t})" - $RNDCCMD $ns3 flush - $RNDCCMD $ns6 flush - $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd >dig.out.${t} || setret "failed" - grep -w "1.1.1.1" dig.out.${t} >/dev/null || setret "failed" - fi - - [ $status -ne 0 ] && pf=fail || pf=pass - case $mode in - native) - native=$status - echo_i "status (native RPZ sub-test): $status ($pf)" - ;; - - dnsrps) - dnsrps=$status - echo_i "status (DNSRPS sub-test): $status ($pf)" - ;; - *) echo_i "invalid test mode" ;; - esac +# check that miscellaneous bugs are still absent +add_librpz_rule "wipe" +start_group "crashes" test6 +for Q in RRSIG SIG ANY 'ANY +dnssec'; do + nocrash a3-1.tld2 -t$Q + nocrash a3-2.tld2 -t$Q + nocrash a3-5.tld2 -t$Q + nocrash www.redirect -t$Q + nocrash www.credirect -t$Q done -status=$((native + dnsrps)) + +# This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip +# (or whatever) is available by publishing "foo A 10.2.3.4" and then +# resolving foo. +# nxdomain 32.3.2.1.127.rpz-ip +end_group +ckstats $ns3 bugs ns3 8 + +# superficial test for major performance bugs +QPERF=$(sh qperf.sh) +if test -n "$QPERF"; then + perf() { + date "+${TS}checking performance $1" | cat_i + # Dry run to prime everything + comment "before dry run $1" + $RNDCCMD $ns5 notrace + $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >/dev/null + comment "before real test $1" + PFILE="ns5/$2.perf" + $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >$PFILE + comment "after test $1" + X=$(sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \ + | tr '\n' ' ') + if test "$X" != "$3"; then + setret "wrong results '$X' in $PFILE" + fi + ckalive $ns5 "failed; server #5 crashed" + } + trim() { + sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf + } + + # get qps with rpz + perf 'with RPZ' rpz 'NOERROR:2900 NXDOMAIN:100 ' + RPZ=$(trim rpz) + # turn off rpz and measure qps again + echo "# RPZ off" >ns5/rpz-switch + RNDCCMD_OUT=$($RNDCCMD $ns5 reload) + perf 'without RPZ' norpz 'NOERROR:3000 ' + NORPZ=$(trim norpz) + + PERCENT=$(((RPZ * 100 + (NORPZ / 2)) / NORPZ)) + echo_i "$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ" + + MIN_PERCENT=30 + if test "$PERCENT" -lt $MIN_PERCENT; then + echo_i "$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps" + fi + + if test "$PERCENT" -ge 100; then + echo_i "$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high" + fi + + ckstats $ns5 performance ns5 200 + +else + echo_i "performance not checked; queryperf not available" +fi + +# Ensure ns3 manages to transfer the fast-expire zone before shutdown. +nextpartreset ns3/named.run +wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run + +# reconfigure the ns5 primary server without the fast-expire zone, so +# it can't be refreshed on ns3, and will expire in 5 seconds. +cat /dev/null >ns5/expire.conf +rndc_reconfig ns5 10.53.0.5 + +# restart the main test RPZ server to see if that creates a core file +if test -z "$HAVE_CORE"; then + stop_server --use-rndc --port ${CONTROLPORT} ns3 + add_librpz_rule "restart" + restart 3 "rebuild-bl-rpz" + HAVE_CORE=$(find ns* -name '*core*' -print) + test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?" +fi + +# look for complaints from lib/dns/rpz.c and bin/name/query.c +for runfile in ns*/named.run; do + EMSGS=$(nextpart $runfile | grep -E -l 'invalid rpz|rpz.*failed' || true) + if test -n "$EMSGS"; then + setret "error messages in $runfile starting with:" + grep -E 'invalid rpz|rpz.*failed' ns*/named.run \ + | sed -e '10,$d' -e 's/^//' | cat_i + fi +done + +if [ native = "$MODE" ]; then + # restart the main test RPZ server with a bad zone. + t=$((t + 1)) + echo_i "checking that ns3 with broken rpz does not crash (${t})" + stop_server --use-rndc --port ${CONTROLPORT} ns3 + cp ns3/broken.db.in ns3/bl.db + restart 3 # do not rebuild rpz zones + nocrash a3-1.tld2 -tA + stop_server --use-rndc --port ${CONTROLPORT} ns3 + restart 3 "rebuild-bl-rpz" + + t=$((t + 1)) + echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})" + sed -e "s/^#BAD//" ns3/named.conf.tmp + copy_setports ns3/named.conf.tmp ns3/named.conf + rm ns3/named.conf.tmp + $RNDCCMD $ns3 reconfig >/dev/null 2>&1 && setret "failed" + sleep 1 + copy_setports ns3/named.conf.in ns3/named.conf + $RNDCCMD $ns3 reconfig || setret "failed" + + t=$((t + 1)) + echo_i "checking the configured extended DNS error code (EDE) (${t})" + $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t || setret "failed" + grep -F "EDE: 4 (Forged Answer)" dig.out.$t >/dev/null || setret "failed" + + # reload a RPZ zone that is now deliberately broken. + t=$((t + 1)) + echo_i "checking rpz failed update will keep previous rpz rules (${t})" + $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.before || setret "failed" + grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.before >/dev/null || setret "failed" + cp ns3/broken.db.in ns3/manual-update-rpz.db + rndc_reload ns3 $ns3 manual-update-rpz + sleep 1 + # ensure previous RPZ rules still apply. + $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after || setret "failed" + grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed" + + t=$((t + 1)) + echo_i "checking the default (unset) extended DNS error code (EDE) (${t})" + $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t || setret "failed" + grep -F "EDE: " dig.out.$t >/dev/null && setret "failed" + + t=$((t + 1)) + echo_i "checking reload of a mixed-case RPZ zone (${t})" + # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should + # cause a6-2.tld2 NOERROR answers to be rewritten to NXDOMAIN answers. + $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.before || setret "failed" + grep "status: NXDOMAIN" dig.out.$t.before >/dev/null || setret "failed" + # Add a sibling name (a6-1.tld2.mixed-case-rpz, with "tld2" in lowercase + # rather than uppercase) before A6-2.TLD.mixed-case-rpz. + nextpart ns3/named.run >/dev/null + cp ns3/mixed-case-rpz-2.db.in ns3/mixed-case-rpz.db + rndc_reload ns3 $ns3 mixed-case-rpz + wait_for_log 20 "rpz: mixed-case-rpz: reload done" ns3/named.run + # a6-2.tld2 NOERROR answers should still be rewritten to NXDOMAIN answers. + # (The bug we try to trigger here caused a6-2.tld2.mixed-case-rpz to be + # erroneously removed from the summary RPZ database after reload.) + $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.after || setret "failed" + grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed" +fi + +t=$((t + 1)) +echo_i "checking that ttl values are not zeroed when qtype is '*' (${t})" +$DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 >dig.out.$t || setret "failed" +ttl=$(awk '/a3-2 tld2 text/ {print $2}' dig.out.$t) +if test ${ttl:=0} -eq 0; then setret "failed"; fi + +t=$((t + 1)) +echo_i "checking rpz updates/transfers with parent nodes added after children (${t})" +# regression test for RT #36272: the success condition +# is the secondary server not crashing. +for i in 1 2 3 4 5; do + nsd $ns5 add example.com.policy1. '*.example.com.policy1.' + nsd $ns5 delete example.com.policy1. '*.example.com.policy1.' +done +for i in 1 2 3 4 5; do + nsd $ns5 add '*.example.com.policy1.' example.com.policy1. + nsd $ns5 delete '*.example.com.policy1.' example.com.policy1. +done + +t=$((t + 1)) +echo_i "checking that going from an empty policy zone works (${t})" +nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. +add_librpz_rule "update add *.x.servfail.policy2 300 CNAME ." +sleep 1 +rndc_reload ns7 $ns7 policy2 +$DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed" +grep NXDOMAIN dig.out.${t} >/dev/null || setret "failed" + +t=$((t + 1)) +echo_i "checking that 'ede none' works same way as when \"ede\" is unset (${t})" +$DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed" +grep -F "EDE: " dig.out.${t} >/dev/null && setret "failed" + +t=$((t + 1)) +echo_i "checking that 'add-soa no' at rpz zone level works (${t})" +$DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed" +grep SOA dig.out.${t} >/dev/null && setret "failed" + +if [ native = "$MODE" ]; then + t=$((t + 1)) + echo_i "checking that 'add-soa yes' at response-policy level works (${t})" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} || setret "failed" + grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed" +fi + +if [ native = "$MODE" ]; then + t=$((t + 1)) + echo_i "reconfiguring server with 'add-soa no' (${t})" + cp ns3/named.conf ns3/named.conf.tmp + sed -e "s/add-soa yes/add-soa no/g" ns3/named.conf + rndc_reconfig ns3 $ns3 + echo_i "checking that 'add-soa no' at response-policy level works (${t})" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} || setret "failed" + grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null && setret "failed" +fi + +if [ native = "$MODE" ]; then + t=$((t + 1)) + echo_i "checking that 'add-soa unset' works (${t})" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 >dig.out.${t} || setret "failed" + grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed" +fi + +# dnsrps does not allow NS RRs in policy zones, so this check +# with dnsrps results in no rewriting. +if [ native = "$MODE" ]; then + t=$((t + 1)) + echo_i "checking rpz with delegation fails correctly (${t})" + $DIG -p ${PORT} @$ns3 ns example.com >dig.out.$t || setret "failed" + grep "status: SERVFAIL" dig.out.$t >/dev/null || setret "failed" + + t=$((t + 1)) + echo_i "checking policies from expired zone are no longer in effect ($t)" + $DIG -p ${PORT} @$ns3 a expired >dig.out.$t || setret "failed" + grep "expired.*10.0.0.10" dig.out.$t >/dev/null && setret "failed" + grep "fast-expire/IN: response-policy zone expired" ns3/named.run >/dev/null || setret "failed" +fi + +# RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 scenarios. +produce_librpz_rules ns9 rpz rpz +for label in a-only no-a-no-aaaa a-plus-aaaa; do + for type in AAAA A; do + t=$((t + 1)) + case $label in + a-only) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})" + ;; + no-a-no-aaaa) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})" + ;; + a-plus-aaaa) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})" + ;; + esac + ret=0 + $DIG ${label}.example -p ${PORT} $type @10.53.0.9 >dig.out.${t} || setret "failed" + grep "status: NOERROR" dig.out.$t >/dev/null || ret=1 + grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t >/dev/null || ret=1 + grep "^rpz" dig.out.$t >/dev/null || ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=$((status + ret)) + done +done + +if [ native = "$MODE" ]; then + t=$((t + 1)) + echo_i "checking that rewriting CD=1 queries handles pending data correctly (${t})" + $RNDCCMD $ns3 flush + $RNDCCMD $ns6 flush + $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd >dig.out.${t} || setret "failed" + grep -w "1.1.1.1" dig.out.${t} >/dev/null || setret "failed" +fi [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py b/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py new file mode 100644 index 0000000000..cca6f4d765 --- /dev/null +++ b/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py @@ -0,0 +1,26 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import isctest.mark + +pytestmark = isctest.mark.dnsrps_enabled + + +def test_rpz_dnsrps(run_tests_sh): + with open("dnsrps.conf", "w", encoding="utf-8") as conf: + conf.writelines( + [ + "dnsrps-options { log-level 3 };" + "dnsrps-enable yes;" + 'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";' + ] + ) + run_tests_sh() diff --git a/bin/tests/system/rpzrecurse/setup.sh b/bin/tests/system/rpzrecurse/setup.sh index c92956f75c..6c16337478 100644 --- a/bin/tests/system/rpzrecurse/setup.sh +++ b/bin/tests/system/rpzrecurse/setup.sh @@ -17,29 +17,7 @@ set -e . ../conf.sh -USAGE="$0: [-DNx]" -DEBUG= -while getopts "DNx" c; do - case $c in - x) - set -x - DEBUG=-x - ;; - D) TEST_DNSRPS="-D" ;; - N) NOCLEAN=set ;; - *) - echo "$USAGE" 1>&2 - exit 1 - ;; - esac -done -shift $((OPTIND - 1)) -if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 -fi - -[ ${NOCLEAN:-unset} = unset ] && $SHELL clean.sh $DEBUG +$SHELL clean.sh $PERL testgen.pl @@ -52,9 +30,7 @@ copy_setports ns3/named1.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf -# decide whether to test DNSRPS -$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG -test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS= +touch dnsrps.conf touch dnsrps.cache # setup policy zones for a 64-zone test diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh index e414bf04d8..ec6b14399d 100644 --- a/bin/tests/system/rpzrecurse/tests.sh +++ b/bin/tests/system/rpzrecurse/tests.sh @@ -23,17 +23,16 @@ status=0 t=0 export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache -DEBUG= ARGS= +if grep 'dnsrps-enable yes;' dnsrps.conf >/dev/null; then + MODE=dnsrps +else + MODE=native +fi -USAGE="$0: [-xS]" -while getopts "xS:" c; do +USAGE="$0: [-S]" +while getopts "S:" c; do case $c in - x) - set -x - DEBUG=-x - ARGS="$ARGS -x" - ;; S) SAVE_RESULTS=-S ARGS="$ARGS -S" @@ -136,456 +135,401 @@ add_test_marker() { done } -native=0 -dnsrps=0 -for mode in native dnsrps; do - status=0 - case $mode in - native) - if [ -e dnsrps-only ]; then - echo_i "'dnsrps-only' found: skipping native RPZ sub-test" - continue - else - echo_i "running native RPZ sub-test" - fi - ;; - dnsrps) - if [ -e dnsrps-off ]; then - echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" - continue - fi - echo_i "attempting to configure servers with DNSRPS..." - stop_server --use-rndc --port ${CONTROLPORT} - $SHELL ./setup.sh -N -D $DEBUG - sed -n 's/^## //p' dnsrps.conf | cat_i - if grep '^#fail' dnsrps.conf >/dev/null; then - echo_i "exit status: 1" - exit 1 - fi - if grep '^#skip' dnsrps.conf >/dev/null; then - echo_i "DNSRPS sub-test skipped" - continue - else - echo_i "running DNSRPS sub-test" - start_server --noclean --restart --port ${PORT} - sleep 3 - fi - ;; - esac +t=$((t + 1)) +echo_i "testing that l1.l0 exists without RPZ (${t})" +add_test_marker 10.53.0.2 +$DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t} +grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 +} - # show whether and why DNSRPS is enabled or disabled - sed -n 's/^## //p' dnsrps.conf | cat_i +t=$((t + 1)) +echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})" +add_test_marker 10.53.0.2 +$DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t} +grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 +} - t=$((t + 1)) - echo_i "testing that l1.l0 exists without RPZ (${t})" - add_test_marker 10.53.0.2 - $DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t} - grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { - echo_i "test ${t} failed" - status=1 - } +# Group 1 +run_server 1a +expect_norecurse 1a 1 +run_server 1b +expect_norecurse 1b 1 +expect_recurse 1b 2 +run_server 1c +expect_norecurse 1c 1 - t=$((t + 1)) - echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})" - add_test_marker 10.53.0.2 - $DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t} - grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || { - echo_i "test ${t} failed" - status=1 - } - - # Group 1 - run_server 1a - expect_norecurse 1a 1 - run_server 1b - expect_norecurse 1b 1 - expect_recurse 1b 2 - run_server 1c - expect_norecurse 1c 1 - - # Group 2 - run_server 2a - for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \ - 21 22 23 24 25 26 27 28 29 30 31 32; do - expect_norecurse 2a $n - done - expect_recurse 2a 33 - - # Group 3 - run_server 3a - expect_recurse 3a 1 - run_server 3b - expect_recurse 3b 1 - run_server 3c - expect_recurse 3c 1 - run_server 3d - expect_norecurse 3d 1 - expect_recurse 3d 2 - run_server 3e - expect_norecurse 3e 1 - expect_recurse 3e 2 - run_server 3f - expect_norecurse 3f 1 - expect_recurse 3f 2 - - # Group 4 - testlist="aa ap bf" - values="1 16 32" - # Uncomment the following to test every skip value instead of - # only a sample of values - # - #testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \ - # aq ar as at au av aw ax ay az ba bb bc bd be bf" - #values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \ - # 21 22 23 24 25 26 27 28 29 30 31 32" - set -- $values - for n in $testlist; do - run_server 4$n - ni=$1 - t=$((t + 1)) - echo_i "testing that ${ni} of 33 queries skip recursion (${t})" - add_test_marker 10.53.0.2 - c=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \ - 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do - run_query 4$n $i || c=$((c + 1)) - done - skipped=$((33 - c)) - if [ $skipped != $ni ]; then - echo_i "test $t failed (actual=$skipped, expected=$ni)" - status=1 - fi - shift - done - - # Group 5 - run_server 5a - expect_norecurse 5a 1 - expect_norecurse 5a 2 - expect_recurse 5a 3 - expect_recurse 5a 4 - expect_recurse 5a 5 - expect_recurse 5a 6 - - # Group 6 - echo_i "check recursive behavior consistency during policy update races" - run_server 6a - sleep 1 - t=$((t + 1)) - echo_i "running dig to cache CNAME record (${t})" - add_test_marker 10.53.0.1 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t} - sleep 1 - echo_i "suspending authority server" - PID=$(cat ns1/named.pid) - kill -STOP $PID - echo_i "adding an NSDNAME policy" - cp ns2/db.6a.00.policy.local ns2/saved.policy.local - cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local - $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i - test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true - sleep 1 - t=$((t + 1)) - echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" - add_test_marker 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} & - sleep 1 - echo_i "removing the NSDNAME policy" - cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local - $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i - test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true - sleep 1 - echo_i "resuming authority server" - PID=$(cat ns1/named.pid) - kill -CONT $PID - add_test_marker 10.53.0.1 - for n in 1 2 3 4 5 6 7 8 9; do - sleep 1 - [ -s dig.out.${t} ] || continue - grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break - done - grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { - echo_i "test ${t} failed" - status=1 - } - - echo_i "check recursive behavior consistency during policy removal races" - cp ns2/saved.policy.local ns2/db.6a.00.policy.local - run_server 6a - sleep 1 - t=$((t + 1)) - echo_i "running dig to cache CNAME record (${t})" - add_test_marker 10.53.0.1 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t} - sleep 1 - echo_i "suspending authority server" - PID=$(cat ns1/named.pid) - kill -STOP $PID - echo_i "adding an NSDNAME policy" - cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local - $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i - test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true - sleep 1 - t=$((t + 1)) - echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" - add_test_marker 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} & - sleep 1 - echo_i "removing the policy zone" - cp ns2/named.default.conf ns2/named.conf - rndc_reconfig ns2 10.53.0.2 - test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true - sleep 1 - echo_i "resuming authority server" - PID=$(cat ns1/named.pid) - kill -CONT $PID - add_test_marker 10.53.0.1 - for n in 1 2 3 4 5 6 7 8 9; do - sleep 1 - [ -s dig.out.${t} ] || continue - grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break - done - grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { - echo_i "test ${t} failed" - status=1 - } - - # Check maximum number of RPZ zones (64) - t=$((t + 1)) - echo_i "testing maximum number of RPZ zones (${t})" - add_test_marker 10.53.0.2 - run_server max - i=1 - while test $i -le 64; do - $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i} - grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || { - echo_i "test $t failed: didn't get expected answer from policy zone $i" - status=1 - } - i=$((i + 1)) - done - - # Check CLIENT-IP behavior - t=$((t + 1)) - echo_i "testing CLIENT-IP behavior (${t})" - add_test_marker 10.53.0.2 - run_server clientip - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t} - grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { - echo_i "test $t failed: query failed" - status=1 - } - grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || { - echo_i "test $t failed: didn't get expected answer" - status=1 - } - - # Check CLIENT-IP behavior #2 - t=$((t + 1)) - echo_i "testing CLIENT-IP behavior #2 (${t})" - add_test_marker 10.53.0.2 - run_server clientip2 - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1 - grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || { - echo_i "test $t failed: query failed" - status=1 - } - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2 - grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || { - echo_i "test $t failed: query failed" - status=1 - } - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3 - grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || { - echo_i "test $t failed: query failed" - status=1 - } - grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || { - echo_i "test $t failed: didn't get expected answer" - status=1 - } - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4 - grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || { - echo_i "test $t failed: query failed" - status=1 - } - - # Check RPZ log clause - t=$((t + 1)) - echo_i "testing RPZ log clause (${t})" - add_test_marker 10.53.0.2 - run_server log - cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run) - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t} - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t} - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t} - sed -n "$cur,"'$p' /dev/null && { - echo_ic "failed: unexpected rewrite message for policy zone log1 was logged" - status=1 - } - sed -n "$cur,"'$p' /dev/null || { - echo_ic "failed: expected rewrite message for policy zone log2 was not logged" - status=1 - } - sed -n "$cur,"'$p' /dev/null || { - echo_ic "failed: expected rewrite message for policy zone log3 was not logged" - status=1 - } - - # Check wildcard behavior - - t=$((t + 1)) - echo_i "testing wildcard behavior with 1 RPZ zone (${t})" - add_test_marker 10.53.0.2 - run_server wildcard1 - $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 - grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { - echo_i "test ${t} failed" - status=1 - } - $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 - grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || { - echo_i "test ${t} failed" - status=1 - } - - t=$((t + 1)) - echo_i "testing wildcard behavior with 2 RPZ zones (${t})" - add_test_marker 10.53.0.2 - run_server wildcard2 - $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 - grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { - echo_i "test ${t} failed" - status=1 - } - $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 - grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || { - echo_i "test ${t} failed" - status=1 - } - - t=$((t + 1)) - echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})" - add_test_marker 10.53.0.2 - run_server wildcard3 - $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 - grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { - echo_i "test ${t} failed" - status=1 - } - $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 - grep "status: NOERROR" dig.out.${t}.2 >/dev/null || { - echo_i "test ${t} failed" - status=1 - } - - t=$((t + 1)) - echo_i "testing wildcard passthru before explicit drop (${t})" - add_test_marker 10.53.0.2 - run_server wildcard4 - $DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 - grep "status: NOERROR" dig.out.${t}.1 >/dev/null || { - echo_i "test ${t} failed" - status=1 - } - $DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 - grep "status: NOERROR" dig.out.${t}.2 >/dev/null || { - echo_i "test ${t} failed" - status=1 - } - - if [ "$mode" = "native" ]; then - # Check for invalid prefix length error - t=$((t + 1)) - echo_i "testing for invalid prefix length error (${t})" - add_test_marker 10.53.0.2 - run_server invalidprefixlength - grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || { - echo_ic "failed: expected that invalid prefix length error would be logged" - status=1 - } - fi - - if [ "$mode" = "native" ]; then - t=$((t + 1)) - echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)" - add_test_marker 10.53.0.2 10.53.0.3 - echo_i "timing 'nsip-wait-recurse yes' (default)" - produce_librpz_rules ns3 policy policy - ret=0 - t1=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t - t2=$($PERL -e 'print time()."\n";') - p1=$((t2 - t1)) - echo_i "elapsed time $p1 seconds" - - $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush - copy_setports ns3/named2.conf.in ns3/named.conf - nextpart ns3/named.run >/dev/null - $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null - wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 - - echo_i "timing 'nsip-wait-recurse no'" - echo "update zone policy 0 no_nsip_wait_recurse" >$DNSRPS_TEST_UPDATE_FILE - t3=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t - t4=$($PERL -e 'print time()."\n";') - p2=$((t4 - t3)) - echo_i "elapsed time $p2 seconds" - - if test $p1 -le $p2; then ret=1; fi - if test $ret != 0; then echo_i "failed"; fi - status=$((status + ret)) - - $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush - # restore original named.conf - copy_setports ns3/named1.conf.in ns3/named.conf - nextpart ns3/named.run >/dev/null - $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null - wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 - - t=$((t + 1)) - echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)" - add_test_marker 10.53.0.2 10.53.0.3 - echo_i "timing 'nsdname-wait-recurse yes' (default)" - ret=0 - t1=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t - t2=$($PERL -e 'print time()."\n";') - p1=$((t2 - t1)) - echo_i "elapsed time $p1 seconds" - - $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush - copy_setports ns3/named3.conf.in ns3/named.conf - nextpart ns3/named.run >/dev/null - $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null - wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 - - echo_i "timing 'nsdname-wait-recurse no'" - t3=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t - t4=$($PERL -e 'print time()."\n";') - p2=$((t4 - t3)) - echo_i "elapsed time $p2 seconds" - - if test $p1 -le $p2; then ret=1; fi - if test $ret != 0; then echo_i "failed"; fi - status=$((status + ret)) - fi - - [ $status -ne 0 ] && pf=fail || pf=pass - case $mode in - native) - native=$status - echo_i "status (native RPZ sub-test): $status ($pf)" - ;; - dnsrps) - dnsrps=$status - echo_i "status (DNSRPS sub-test): $status ($pf)" - ;; - *) echo_i "invalid test mode" ;; - esac +# Group 2 +run_server 2a +for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \ + 21 22 23 24 25 26 27 28 29 30 31 32; do + expect_norecurse 2a $n done -status=$((native + dnsrps)) +expect_recurse 2a 33 + +# Group 3 +run_server 3a +expect_recurse 3a 1 +run_server 3b +expect_recurse 3b 1 +run_server 3c +expect_recurse 3c 1 +run_server 3d +expect_norecurse 3d 1 +expect_recurse 3d 2 +run_server 3e +expect_norecurse 3e 1 +expect_recurse 3e 2 +run_server 3f +expect_norecurse 3f 1 +expect_recurse 3f 2 + +# Group 4 +testlist="aa ap bf" +values="1 16 32" +# Uncomment the following to test every skip value instead of +# only a sample of values +# +#testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \ +# aq ar as at au av aw ax ay az ba bb bc bd be bf" +#values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \ +# 21 22 23 24 25 26 27 28 29 30 31 32" +set -- $values +for n in $testlist; do + run_server 4$n + ni=$1 + t=$((t + 1)) + echo_i "testing that ${ni} of 33 queries skip recursion (${t})" + add_test_marker 10.53.0.2 + c=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \ + 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do + run_query 4$n $i || c=$((c + 1)) + done + skipped=$((33 - c)) + if [ $skipped != $ni ]; then + echo_i "test $t failed (actual=$skipped, expected=$ni)" + status=1 + fi + shift +done + +# Group 5 +run_server 5a +expect_norecurse 5a 1 +expect_norecurse 5a 2 +expect_recurse 5a 3 +expect_recurse 5a 4 +expect_recurse 5a 5 +expect_recurse 5a 6 + +# Group 6 +echo_i "check recursive behavior consistency during policy update races" +run_server 6a +sleep 1 +t=$((t + 1)) +echo_i "running dig to cache CNAME record (${t})" +add_test_marker 10.53.0.1 10.53.0.2 +$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t} +sleep 1 +echo_i "suspending authority server" +PID=$(cat ns1/named.pid) +kill -STOP $PID +echo_i "adding an NSDNAME policy" +cp ns2/db.6a.00.policy.local ns2/saved.policy.local +cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local +$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i +test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true +sleep 1 +t=$((t + 1)) +echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" +add_test_marker 10.53.0.2 +$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} & +sleep 1 +echo_i "removing the NSDNAME policy" +cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local +$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i +test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true +sleep 1 +echo_i "resuming authority server" +PID=$(cat ns1/named.pid) +kill -CONT $PID +add_test_marker 10.53.0.1 +for n in 1 2 3 4 5 6 7 8 9; do + sleep 1 + [ -s dig.out.${t} ] || continue + grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break +done +grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 +} + +echo_i "check recursive behavior consistency during policy removal races" +cp ns2/saved.policy.local ns2/db.6a.00.policy.local +run_server 6a +sleep 1 +t=$((t + 1)) +echo_i "running dig to cache CNAME record (${t})" +add_test_marker 10.53.0.1 10.53.0.2 +$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t} +sleep 1 +echo_i "suspending authority server" +PID=$(cat ns1/named.pid) +kill -STOP $PID +echo_i "adding an NSDNAME policy" +cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local +$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i +test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true +sleep 1 +t=$((t + 1)) +echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" +add_test_marker 10.53.0.2 +$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} & +sleep 1 +echo_i "removing the policy zone" +cp ns2/named.default.conf ns2/named.conf +rndc_reconfig ns2 10.53.0.2 +test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true +sleep 1 +echo_i "resuming authority server" +PID=$(cat ns1/named.pid) +kill -CONT $PID +add_test_marker 10.53.0.1 +for n in 1 2 3 4 5 6 7 8 9; do + sleep 1 + [ -s dig.out.${t} ] || continue + grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break +done +grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 +} + +# Check maximum number of RPZ zones (64) +t=$((t + 1)) +echo_i "testing maximum number of RPZ zones (${t})" +add_test_marker 10.53.0.2 +run_server max +i=1 +while test $i -le 64; do + $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i} + grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || { + echo_i "test $t failed: didn't get expected answer from policy zone $i" + status=1 + } + i=$((i + 1)) +done + +# Check CLIENT-IP behavior +t=$((t + 1)) +echo_i "testing CLIENT-IP behavior (${t})" +add_test_marker 10.53.0.2 +run_server clientip +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t} +grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 +} +grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed: didn't get expected answer" + status=1 +} + +# Check CLIENT-IP behavior #2 +t=$((t + 1)) +echo_i "testing CLIENT-IP behavior #2 (${t})" +add_test_marker 10.53.0.2 +run_server clientip2 +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1 +grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 +} +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2 +grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 +} +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3 +grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 +} +grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || { + echo_i "test $t failed: didn't get expected answer" + status=1 +} +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4 +grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 +} + +# Check RPZ log clause +t=$((t + 1)) +echo_i "testing RPZ log clause (${t})" +add_test_marker 10.53.0.2 +run_server log +cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run) +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t} +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t} +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t} +sed -n "$cur,"'$p' /dev/null && { + echo_ic "failed: unexpected rewrite message for policy zone log1 was logged" + status=1 +} +sed -n "$cur,"'$p' /dev/null || { + echo_ic "failed: expected rewrite message for policy zone log2 was not logged" + status=1 +} +sed -n "$cur,"'$p' /dev/null || { + echo_ic "failed: expected rewrite message for policy zone log3 was not logged" + status=1 +} + +# Check wildcard behavior + +t=$((t + 1)) +echo_i "testing wildcard behavior with 1 RPZ zone (${t})" +add_test_marker 10.53.0.2 +run_server wildcard1 +$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 +grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { + echo_i "test ${t} failed" + status=1 +} +$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 +grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || { + echo_i "test ${t} failed" + status=1 +} + +t=$((t + 1)) +echo_i "testing wildcard behavior with 2 RPZ zones (${t})" +add_test_marker 10.53.0.2 +run_server wildcard2 +$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 +grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { + echo_i "test ${t} failed" + status=1 +} +$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 +grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || { + echo_i "test ${t} failed" + status=1 +} + +t=$((t + 1)) +echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})" +add_test_marker 10.53.0.2 +run_server wildcard3 +$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 +grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { + echo_i "test ${t} failed" + status=1 +} +$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 +grep "status: NOERROR" dig.out.${t}.2 >/dev/null || { + echo_i "test ${t} failed" + status=1 +} + +t=$((t + 1)) +echo_i "testing wildcard passthru before explicit drop (${t})" +add_test_marker 10.53.0.2 +run_server wildcard4 +$DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 +grep "status: NOERROR" dig.out.${t}.1 >/dev/null || { + echo_i "test ${t} failed" + status=1 +} +$DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 +grep "status: NOERROR" dig.out.${t}.2 >/dev/null || { + echo_i "test ${t} failed" + status=1 +} + +if [ "$MODE" = "native" ]; then + # Check for invalid prefix length error + t=$((t + 1)) + echo_i "testing for invalid prefix length error (${t})" + add_test_marker 10.53.0.2 + run_server invalidprefixlength + grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || { + echo_ic "failed: expected that invalid prefix length error would be logged" + status=1 + } +fi + +if [ "$MODE" = "native" ]; then + t=$((t + 1)) + echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)" + add_test_marker 10.53.0.2 10.53.0.3 + echo_i "timing 'nsip-wait-recurse yes' (default)" + produce_librpz_rules ns3 policy policy + ret=0 + t1=$($PERL -e 'print time()."\n";') + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t + t2=$($PERL -e 'print time()."\n";') + p1=$((t2 - t1)) + echo_i "elapsed time $p1 seconds" + + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + copy_setports ns3/named2.conf.in ns3/named.conf + nextpart ns3/named.run >/dev/null + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null + wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 + + echo_i "timing 'nsip-wait-recurse no'" + echo "update zone policy 0 no_nsip_wait_recurse" >$DNSRPS_TEST_UPDATE_FILE + t3=$($PERL -e 'print time()."\n";') + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t + t4=$($PERL -e 'print time()."\n";') + p2=$((t4 - t3)) + echo_i "elapsed time $p2 seconds" + + if test $p1 -le $p2; then ret=1; fi + if test $ret != 0; then echo_i "failed"; fi + status=$((status + ret)) + + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + # restore original named.conf + copy_setports ns3/named1.conf.in ns3/named.conf + nextpart ns3/named.run >/dev/null + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null + wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 + + t=$((t + 1)) + echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)" + add_test_marker 10.53.0.2 10.53.0.3 + echo_i "timing 'nsdname-wait-recurse yes' (default)" + ret=0 + t1=$($PERL -e 'print time()."\n";') + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t + t2=$($PERL -e 'print time()."\n";') + p1=$((t2 - t1)) + echo_i "elapsed time $p1 seconds" + + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + copy_setports ns3/named3.conf.in ns3/named.conf + nextpart ns3/named.run >/dev/null + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null + wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 + + echo_i "timing 'nsdname-wait-recurse no'" + t3=$($PERL -e 'print time()."\n";') + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t + t4=$($PERL -e 'print time()."\n";') + p2=$((t4 - t3)) + echo_i "elapsed time $p2 seconds" + + if test $p1 -le $p2; then ret=1; fi + if test $ret != 0; then echo_i "failed"; fi + status=$((status + ret)) +fi [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rpzrecurse/tests_sh_rpzrecurse_dnsrps.py b/bin/tests/system/rpzrecurse/tests_sh_rpzrecurse_dnsrps.py new file mode 100644 index 0000000000..22f1ea2e12 --- /dev/null +++ b/bin/tests/system/rpzrecurse/tests_sh_rpzrecurse_dnsrps.py @@ -0,0 +1,26 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import isctest.mark + +pytestmark = isctest.mark.dnsrps_enabled + + +def test_rpzrecurse_dnsrps(run_tests_sh): + with open("dnsrps.conf", "w", encoding="utf-8") as conf: + conf.writelines( + [ + "dnsrps-options { log-level 3 };" + "dnsrps-enable yes;" + 'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";' + ] + ) + run_tests_sh()