diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index b81b9582e8..44821209ed 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -2679,6 +2679,102 @@ wait_for_soa @10.53.0.4 tls1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +########################################################################## +# GL #5801 + +nextpart ns4/named.run >/dev/null + +n=$((n + 1)) +echo_i "Add empty APL allow-query to catalog-misc zone using nsupdate ($n)" +ret=0 +# Using "\# 0" form as a workaround for nsupdate not parsing zero length rdata +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add allow-query.ext.catalog-misc.example. 3600 IN APL \# 0 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns4/named.run "catz: catalog-misc.example: reload done: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "Adding a domain check-allow-query.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/check-allow-query.example.db +echo "@ 3600 IN NS invalid." >>ns1/check-allow-query.example.db +rndccmd 10.53.0.1 addzone check-allow-query.example. in default '{ type primary; file "check-allow-query.example.db"; allow-transfer { any; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.4; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that check-allow-query.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 check-allow-query.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +nextpart ns4/named.run >/dev/null + +n=$((n + 1)) +echo_i "Adding domain check-allow-query.example. to catalog-misc zone ($n)" +ret=0 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add check-allow-query.zones.catalog-misc.example. 3600 IN PTR check-allow-query.example. + update add primaries.ext.check-allow-query.zones.catalog-misc.example. 3600 IN A 10.53.0.1 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns4/named.run "catz: adding zone 'check-allow-query.example' from catalog 'catalog-misc.example'" \ + && wait_for_message ns4/named.run "transfer of 'check-allow-query.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that check-allow-query.example. is not served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.4 check-allow-query.example. dig.out.test$n && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +nextpart ns4/named.run >/dev/null + +n=$((n + 1)) +echo_i "Deleting empty allow-query property from catalog-misc zone ($n)" +ret=0 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete allow-query.ext.catalog-misc.example. 3600 IN APL + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns4/named.run "catz: catalog-misc.example: reload done: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that check-allow-query.example. is now served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.4 check-allow-query.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + ########################################################################## # GL #5658 diff --git a/bin/tests/system/catz/tests_sh_catz.py b/bin/tests/system/catz/tests_sh_catz.py index 060e45fc0f..4b68e2f65e 100644 --- a/bin/tests/system/catz/tests_sh_catz.py +++ b/bin/tests/system/catz/tests_sh_catz.py @@ -21,6 +21,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns*/*.nzd*", "ns*/catalog*.example.db", "ns*/*dom*.example.db", + "ns1/check-allow-query.example.db", "ns1/longlong.longlong.long.long.name.example.db", "ns1/tls1.example.db", "ns2/__catz__*.db", diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c index 67c021062b..ba0d3d041b 100644 --- a/lib/dns/rdata/in_1/apl_42.c +++ b/lib/dns/rdata/in_1/apl_42.c @@ -327,10 +327,12 @@ dns_rdata_apl_first(dns_rdata_in_apl_t *apl) { /* * If no APL return ISC_R_NOMORE. */ - if (apl->apl == NULL) { + if (apl->apl == NULL || apl->apl_len == 0) { return ISC_R_NOMORE; } + apl->offset = 0; + /* * Sanity check data. */ @@ -338,7 +340,6 @@ dns_rdata_apl_first(dns_rdata_in_apl_t *apl) { length = apl->apl[apl->offset + 3] & 0x7f; INSIST(4 + length <= apl->apl_len); - apl->offset = 0; return ISC_R_SUCCESS; } diff --git a/tests/dns/rdata_test.c b/tests/dns/rdata_test.c index ab6b2a974c..6dd6e0c0da 100644 --- a/tests/dns/rdata_test.c +++ b/tests/dns/rdata_test.c @@ -257,7 +257,6 @@ check_struct_conversions(dns_rdata_t *rdata, size_t structsize, isc_buffer_t target; void *rdata_struct; char buf[1024]; - unsigned int count = 0; rdata_struct = isc_mem_allocate(mctx, structsize); assert_non_null(rdata_struct); @@ -289,53 +288,82 @@ check_struct_conversions(dns_rdata_t *rdata, size_t structsize, * https/svcb parameters. */ switch (type) { + case dns_rdatatype_apl: { + dns_rdata_in_apl_t *apl = rdata_struct; + + for (size_t pass = 1; pass < 3; pass++) { + unsigned int count = 0; + for (result = dns_rdata_apl_first(apl); + result == ISC_R_SUCCESS; + result = dns_rdata_apl_next(apl)) + { + dns_rdata_apl_ent_t apl_ent; + dns_rdata_apl_current(apl, &apl_ent); + count++; + } + assert_int_equal(result, ISC_R_NOMORE); + assert_int_equal(count, loop); + } + break; + } case dns_rdatatype_hip: { dns_rdata_hip_t *hip = rdata_struct; - for (result = dns_rdata_hip_first(hip); result == ISC_R_SUCCESS; - result = dns_rdata_hip_next(hip)) - { - dns_name_t name; - dns_name_init(&name, NULL); - dns_rdata_hip_current(hip, &name); - assert_int_not_equal(dns_name_countlabels(&name), 0); - assert_true(dns_name_isabsolute(&name)); - count++; + for (size_t pass = 1; pass < 3; pass++) { + unsigned int count = 0; + for (result = dns_rdata_hip_first(hip); + result == ISC_R_SUCCESS; + result = dns_rdata_hip_next(hip)) + { + dns_name_t name; + dns_name_init(&name, NULL); + dns_rdata_hip_current(hip, &name); + assert_int_not_equal( + dns_name_countlabels(&name), 0); + assert_true(dns_name_isabsolute(&name)); + count++; + } + assert_int_equal(result, ISC_R_NOMORE); + assert_int_equal(count, loop); } - assert_int_equal(result, ISC_R_NOMORE); - assert_int_equal(count, loop); break; } case dns_rdatatype_https: { dns_rdata_in_https_t *https = rdata_struct; - for (result = dns_rdata_in_https_first(https); - result == ISC_R_SUCCESS; - result = dns_rdata_in_https_next(https)) - { - isc_region_t region; - dns_rdata_in_https_current(https, ®ion); - assert_true(region.length >= 4); - count++; + for (size_t pass = 1; pass < 3; pass++) { + unsigned int count = 0; + for (result = dns_rdata_in_https_first(https); + result == ISC_R_SUCCESS; + result = dns_rdata_in_https_next(https)) + { + isc_region_t region; + dns_rdata_in_https_current(https, ®ion); + assert_true(region.length >= 4); + count++; + } + assert_int_equal(result, ISC_R_NOMORE); + assert_int_equal(count, loop); } - assert_int_equal(result, ISC_R_NOMORE); - assert_int_equal(count, loop); break; } case dns_rdatatype_svcb: { dns_rdata_in_svcb_t *svcb = rdata_struct; - for (result = dns_rdata_in_svcb_first(svcb); - result == ISC_R_SUCCESS; - result = dns_rdata_in_svcb_next(svcb)) - { - isc_region_t region; - dns_rdata_in_svcb_current(svcb, ®ion); - assert_true(region.length >= 4); - count++; + for (size_t pass = 1; pass < 3; pass++) { + unsigned int count = 0; + for (result = dns_rdata_in_svcb_first(svcb); + result == ISC_R_SUCCESS; + result = dns_rdata_in_svcb_next(svcb)) + { + isc_region_t region; + dns_rdata_in_svcb_current(svcb, ®ion); + assert_true(region.length >= 4); + count++; + } + assert_int_equal(result, ISC_R_NOMORE); + assert_int_equal(count, loop); } - assert_int_equal(result, ISC_R_NOMORE); - assert_int_equal(count, loop); break; } } @@ -874,23 +902,26 @@ key_required(void **state, dns_rdatatype_t type, size_t size) { ISC_RUN_TEST_IMPL(apl) { text_ok_t text_ok[] = { /* empty list */ - TEXT_VALID(""), + TEXT_VALID_LOOP(0, ""), /* min,max prefix IPv4 */ - TEXT_VALID("1:0.0.0.0/0"), TEXT_VALID("1:127.0.0.1/32"), + TEXT_VALID_LOOP(1, "1:0.0.0.0/0"), + TEXT_VALID_LOOP(1, "1:127.0.0.1/32"), /* min,max prefix IPv6 */ - TEXT_VALID("2:::/0"), TEXT_VALID("2:::1/128"), + TEXT_VALID_LOOP(1, "2:::/0"), TEXT_VALID_LOOP(1, "2:::1/128"), /* negated */ - TEXT_VALID("!1:0.0.0.0/0"), TEXT_VALID("!1:127.0.0.1/32"), - TEXT_VALID("!2:::/0"), TEXT_VALID("!2:::1/128"), + TEXT_VALID_LOOP(1, "!1:0.0.0.0/0"), + TEXT_VALID_LOOP(1, "!1:127.0.0.1/32"), + TEXT_VALID_LOOP(1, "!2:::/0"), TEXT_VALID_LOOP(1, "!2:::1/128"), /* bits set after prefix length - not disallowed */ - TEXT_VALID("1:127.0.0.0/0"), TEXT_VALID("2:8000::/0"), + TEXT_VALID_LOOP(1, "1:127.0.0.0/0"), + TEXT_VALID_LOOP(1, "2:8000::/0"), /* multiple */ - TEXT_VALID("1:0.0.0.0/0 1:127.0.0.1/32"), - TEXT_VALID("1:0.0.0.0/0 !1:127.0.0.1/32"), + TEXT_VALID_LOOP(2, "1:0.0.0.0/0 1:127.0.0.1/32"), + TEXT_VALID_LOOP(2, "1:0.0.0.0/0 !1:127.0.0.1/32"), /* family 0, prefix 0, positive */ - TEXT_VALID("\\# 4 00000000"), + TEXT_VALID_LOOP(1, "\\# 4 00000000"), /* family 0, prefix 0, negative */ - TEXT_VALID("\\# 4 00000080"), + TEXT_VALID_LOOP(1, "\\# 4 00000080"), /* prefix too long */ TEXT_INVALID("1:0.0.0.0/33"), TEXT_INVALID("2:::/129"), /*