diff options
Diffstat (limited to 'bin/tests/system/rpz')
| -rw-r--r-- | bin/tests/system/rpz/clean.sh | 8 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns1/root.db | 15 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns2/hints | 7 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns2/named.conf | 13 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns2/tld2.db | 84 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns3/base.db | 13 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns3/crash1 | 22 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns3/hints | 7 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns3/named.conf | 74 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns4/hints | 18 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns4/named.conf | 39 | ||||
| -rw-r--r-- | bin/tests/system/rpz/ns4/tld4.db | 73 | ||||
| -rw-r--r-- | bin/tests/system/rpz/setup.sh | 7 | ||||
| -rw-r--r-- | bin/tests/system/rpz/test1 | 61 | ||||
| -rw-r--r-- | bin/tests/system/rpz/test2 | 39 | ||||
| -rw-r--r-- | bin/tests/system/rpz/test3 | 28 | ||||
| -rw-r--r-- | bin/tests/system/rpz/test4 | 19 | ||||
| -rw-r--r-- | bin/tests/system/rpz/test5 | 37 | ||||
| -rw-r--r-- | bin/tests/system/rpz/tests.sh | 380 |
19 files changed, 671 insertions, 273 deletions
diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh index 45080b7b..2008de1c 100644 --- a/bin/tests/system/rpz/clean.sh +++ b/bin/tests/system/rpz/clean.sh @@ -12,11 +12,11 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.3 2011-01-13 04:59:24 tbox Exp $ +# $Id: clean.sh,v 1.4 2011-10-13 01:32:32 vjs Exp $ # Clean up after rpz tests. -rm -f dig.out* nsupdate.tmp -rm -f */named.memstats */named.run */session.key -rm -f ns3/bl*.db */*.jnl +rm -f proto.* dig.out* nsupdate.tmp +rm -f */named.memstats */named.run */named.rpz */session.key +rm -f ns3/bl*.db */*.jnl */*.core */*.pid diff --git a/bin/tests/system/rpz/ns1/root.db b/bin/tests/system/rpz/ns1/root.db index f27372b6..aa209311 100644 --- a/bin/tests/system/rpz/ns1/root.db +++ b/bin/tests/system/rpz/ns1/root.db @@ -12,17 +12,24 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: root.db,v 1.3 2011-01-13 04:59:24 tbox Exp $ +; $Id: root.db,v 1.4 2011-10-13 01:32:33 vjs Exp $ $TTL 120 -@ SOA s1. hostmaster.ns.s1. ( 1 3600 1200 604800 60 ) -@ NS s1 -s1. A 10.53.0.1 +@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) +@ NS ns. +ns. A 10.53.0.1 +. A 10.53.0.1 ; rewrite responses from this zone tld2. NS ns.tld2. ns.tld2. A 10.53.0.2 +ns2.tld2. A 10.53.0.2 ; requests come from here tld3. NS ns.tld3. ns.tld3. A 10.53.0.3 + +; rewrite responses from this zone +tld4. NS ns.tld4. +ns.tld4. A 10.53.0.4 +ns2.tld4. A 10.53.0.4 diff --git a/bin/tests/system/rpz/ns2/hints b/bin/tests/system/rpz/ns2/hints index 69ab18ca..2218602b 100644 --- a/bin/tests/system/rpz/ns2/hints +++ b/bin/tests/system/rpz/ns2/hints @@ -12,7 +12,8 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: hints,v 1.3 2011-01-13 04:59:25 tbox Exp $ +; $Id: hints,v 1.4 2011-10-13 01:32:33 vjs Exp $ -. 0 NS s1. -s1. 0 A 10.53.0.1 + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns2/named.conf b/bin/tests/system/rpz/ns2/named.conf index f7e4e1b2..bed5187f 100644 --- a/bin/tests/system/rpz/ns2/named.conf +++ b/bin/tests/system/rpz/ns2/named.conf @@ -14,7 +14,8 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.3 2011-01-13 04:59:25 tbox Exp $ */ +/* $Id: named.conf,v 1.4 2011-10-13 01:32:33 vjs Exp $ */ + controls { /* empty */ }; @@ -32,6 +33,10 @@ options { zone "." { type hint; file "hints"; }; -zone "tld2." {type master; file "tld2.db";}; -zone "sub1.tld2." {type master; file "tld2.db";}; -zone "sub2.sub1.tld2." {type master; file "tld2.db";}; +zone "tld2." {type master; file "tld2.db";}; +zone "sub1.tld2." {type master; file "tld2.db";}; +zone "subsub.sub1.tld2." {type master; file "tld2.db";}; +zone "sub2.tld2." {type master; file "tld2.db";}; +zone "subsub.sub2.tld2." {type master; file "tld2.db";}; +zone "sub3.tld2." {type master; file "tld2.db";}; +zone "subsub.sub3.tld2." {type master; file "tld2.db";}; diff --git a/bin/tests/system/rpz/ns2/tld2.db b/bin/tests/system/rpz/ns2/tld2.db index 22e6f5f1..2723425c 100644 --- a/bin/tests/system/rpz/ns2/tld2.db +++ b/bin/tests/system/rpz/ns2/tld2.db @@ -12,46 +12,106 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: tld2.db,v 1.3 2011-01-13 04:59:25 tbox Exp $ +; $Id: tld2.db,v 1.4 2011-10-13 01:32:33 vjs Exp $ + ; RPZ rewrite responses from this zone $TTL 120 @ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) - NS @ - A 10.53.0.2 + NS ns + NS ns2 + NS . ; check for RT 24985 +ns A 10.53.0.2 +ns2 A 10.53.0.2 + + +txt-only TXT "txt-only-tld2" -nodata TXT "nodata" a12 A 12.12.12.12 + AAAA 2001::12 + TXT "a12 tld2 text" +a12-cname CNAME a12 a0-1 A 192.168.0.1 AAAA 2001:2::1 - TXT "a0-1 text" + TXT "a0-1 tld2 text" a3-1 A 192.168.3.1 AAAA 2001:2:3::1 - TXT "a3-1 text" + TXT "a3-1 tld2 text" a3-2 A 192.168.3.2 AAAA 2001:2:3::2 - TXT "a3-2 text" + TXT "a3-2 tld2 text" + +a3-3 A 192.168.3.3 + AAAA 2001:2:3::3 + TXT "a3-3 tld2 text" + +a3-4 A 192.168.3.4 + AAAA 2001:2:3::4 + TXT "a3-4 tld2 text" + +a3-5 A 192.168.3.5 + AAAA 2001:2:3::5 + TXT "a3-5 tld2 text" + +a3-6 A 192.168.3.6 + AAAA 2001:2:3::6 + TXT "a3-6 tld2 text" + +a3-7 A 192.168.3.7 + AAAA 2001:2:3::7 + TXT "a3-7 tld2 text" + +a3-8 A 192.168.3.8 + AAAA 2001:2:3::8 + TXT "a3-8 tld2 text" + +a3-9 A 192.168.3.9 + AAAA 2001:2:3::9 + TXT "a3-9 tld2 text" a4-1 A 192.168.4.1 AAAA 2001:2:4::1 - TXT "a4-1 text" + TXT "a4-1 tld2 text" a4-1-aaaa AAAA 2001:2:4::1 a4-2 A 192.168.4.2 AAAA 2001:2:4::2 - TXT "a4-2 text" + TXT "a4-2 tld2 text" +a4-2-cname CNAME a4-2 a4-3 A 192.168.4.3 AAAA 2001:2:4::3 - TXT "a4-3 text" + TXT "a4-3 tld2 text" +a4-3-cname CNAME a4-3 a4-4 A 192.168.4.4 AAAA 2001:2:4::4 - TXT "a4-4 text" + TXT "a4-4 tld2 text" + +a4-5 A 192.168.4.5 + AAAA 2001:2:4::5 + TXT "a4-5 tld2 text" +a4-5-cname CNAME a4-5 +a4-5-cname2 CNAME a4-5-cname +a4-5-cname3 CNAME a4-5-cname2 + +a4-6 A 192.168.4.6 + AAAA 2001:2:4::6 + TXT "a4-6 tld2 text" +a4-6-cname CNAME a4-6 +a4-6-cname2 CNAME a4-6-cname +a4-6-cname3 CNAME a4-6-cname2 + +a5-1-2 A 192.168.5.1 + A 192.168.5.2 + TXT "a5-1-2 tld2 text" -a4-5 CNAME a12 +a5-3 A 192.168.5.3 + TXT "a5-3 tld2 text" +a5-4 A 192.168.5.4 + TXT "a5-4 tld2 text" diff --git a/bin/tests/system/rpz/ns3/base.db b/bin/tests/system/rpz/ns3/base.db index 0b3b176e..7ceff0d8 100644 --- a/bin/tests/system/rpz/ns3/base.db +++ b/bin/tests/system/rpz/ns3/base.db @@ -12,13 +12,15 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: base.db,v 1.5 2011-06-09 00:42:50 marka Exp $ +; $Id: base.db,v 1.6 2011-10-13 01:32:33 vjs Exp $ + ; RPZ test $TTL 120 -@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) -@ NS ns.utld. +@ SOA blx. hostmaster.ns.blx. ( 1 3600 1200 604800 60 ) + NS ns.tld. +ns A 10.53.0.3 ; Poke the radix tree a little. 128.1111.2222.3333.4444.5555.6666.7777.8888.rpz-ip CNAME . @@ -30,7 +32,8 @@ $TTL 120 128.zz.3333.4444.0.8777.8888.rpz-ip CNAME . 127.zz.3333.4444.0.8777.8888.rpz-ip CNAME . -; for testing rrset replacement + +; regression testing for some old crashes redirect IN A 127.0.0.1 *.redirect IN A 127.0.0.1 -*.cname-redirect IN CNAME google.com. +*.credirect IN CNAME google.com. diff --git a/bin/tests/system/rpz/ns3/crash1 b/bin/tests/system/rpz/ns3/crash1 new file mode 100644 index 00000000..d8c65c34 --- /dev/null +++ b/bin/tests/system/rpz/ns3/crash1 @@ -0,0 +1,22 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: crash1,v 1.2 2011-10-13 04:53:06 marka Exp $ + +; a bad zone that caused a crash related to dns_rdataset_disassociate() + +$TTL 120 +@ SOA crash1.tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + + NS tld2. diff --git a/bin/tests/system/rpz/ns3/hints b/bin/tests/system/rpz/ns3/hints index 69ab18ca..2218602b 100644 --- a/bin/tests/system/rpz/ns3/hints +++ b/bin/tests/system/rpz/ns3/hints @@ -12,7 +12,8 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: hints,v 1.3 2011-01-13 04:59:25 tbox Exp $ +; $Id: hints,v 1.4 2011-10-13 01:32:33 vjs Exp $ -. 0 NS s1. -s1. 0 A 10.53.0.1 + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns3/named.conf b/bin/tests/system/rpz/ns3/named.conf index 86aae6e0..4463f8af 100644 --- a/bin/tests/system/rpz/ns3/named.conf +++ b/bin/tests/system/rpz/ns3/named.conf @@ -14,9 +14,8 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.3 2011-01-13 04:59:25 tbox Exp $ */ +/* $Id: named.conf,v 1.4 2011-10-13 01:32:33 vjs Exp $ */ -controls { /* empty */ }; options { query-source address 10.53.0.3; @@ -31,47 +30,62 @@ options { response-policy { zone "bl"; - zone "bl-given" policy given; - zone "bl-no-op" policy no-op; - zone "bl-nodata" policy nodata; - zone "bl-nxdomain" policy nxdomain; - zone "bl-cname" policy cname nodata.tld2.; + zone "bl-2"; + zone "bl-given" policy given; + zone "bl-passthru" policy passthru; + zone "bl-no-op" policy no-op; # obsolete for passthru + zone "bl-disabled" policy disabled; + zone "bl-nodata" policy nodata; + zone "bl-nxdomain" policy nxdomain; + zone "bl-cname" policy cname txt-only.tld2.; + zone "bl-wildcname" policy cname *.tld4.; + zone "bl-garden" policy cname a12.tld2.; }; }; key rndc_key { - secret "1234abcd8765"; - algorithm hmac-md5; + secret "1234abcd8765"; + algorithm hmac-md5; }; controls { - inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; + inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; }; logging { - category queries { default_stderr; }; + # change "-c named.conf -d 99 -g" to "-c named.conf -d 99 -f" + # in ../start.pl to check the rpz log category + channel rpz { severity debug 10; + print-category yes; print-time yes; print-severity yes; + file "named.rpz";}; + category rpz { default_stderr; rpz; }; + category queries { default_stderr; rpz; }; category query-errors { default_stderr; }; }; zone "." { type hint; file "hints"; }; +zone "bl." {type master; file "bl.db"; + allow-update {any;};}; +zone "bl-2." {type master; file "bl-2.db"; + allow-update {any;};}; +zone "bl-given." {type master; file "bl-given.db"; + allow-update {any;};}; +zone "bl-passthru." {type master; file "bl-passthru.db"; + allow-update {any;};}; +zone "bl-no-op." {type master; file "bl-no-op.db"; + allow-update {any;};}; +zone "bl-disabled." {type master; file "bl-disabled.db"; + allow-update {any;};}; +zone "bl-nodata." {type master; file "bl-nodata.db"; + allow-update {any;};}; +zone "bl-nxdomain." {type master; file "bl-nxdomain.db"; + allow-update {any;};}; +zone "bl-cname." {type master; file "bl-cname.db"; + allow-update {any;};}; +zone "bl-wildcname." {type master; file "bl-wildcname.db"; + allow-update {any;};}; +zone "bl-garden." {type master; file "bl-garden.db"; + allow-update {any;};}; -zone "bl." {type master; file "bl.db"; - allow-update {any;}; -}; -zone "bl-given." {type master; file "bl-given.db"; - allow-update {any;}; -}; -zone "bl-no-op." {type master; file "bl-no-op.db"; - allow-update {any;}; -}; -zone "bl-nodata." {type master; file "bl-nodata.db"; - allow-update {any;}; -}; -zone "bl-nxdomain." {type master; file "bl-nxdomain.db"; - allow-update {any;}; -}; -zone "bl-cname." {type master; file "bl-cname.db"; - allow-update {any;}; -}; - +zone "crash1.tld2" {type master; file "crash1";}; diff --git a/bin/tests/system/rpz/ns4/hints b/bin/tests/system/rpz/ns4/hints new file mode 100644 index 00000000..5d88ce0a --- /dev/null +++ b/bin/tests/system/rpz/ns4/hints @@ -0,0 +1,18 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: hints,v 1.2 2011-10-13 04:53:06 marka Exp $ + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns4/named.conf b/bin/tests/system/rpz/ns4/named.conf new file mode 100644 index 00000000..d960de39 --- /dev/null +++ b/bin/tests/system/rpz/ns4/named.conf @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2011-10-13 04:53:06 marka Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port 5300; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + notify no; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld4." {type master; file "tld4.db";}; +zone "sub1.tld4." {type master; file "tld4.db";}; +zone "subsub.sub1.tld4." {type master; file "tld4.db";}; +zone "sub2.tld4." {type master; file "tld4.db";}; +zone "subsub.sub2.tld4." {type master; file "tld4.db";}; diff --git a/bin/tests/system/rpz/ns4/tld4.db b/bin/tests/system/rpz/ns4/tld4.db new file mode 100644 index 00000000..59834e4b --- /dev/null +++ b/bin/tests/system/rpz/ns4/tld4.db @@ -0,0 +1,73 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: tld4.db,v 1.2 2011-10-13 04:53:07 marka Exp $ + +; RPZ rewrite responses from this zone + +$TTL 120 +@ SOA tld4. hostmaster.ns.tld4. ( 1 3600 1200 604800 60 ) + NS ns + NS ns2 +ns A 10.53.0.4 +ns2 A 10.53.0.4 + + +txt-only TXT "txt-only-tld4" + +a14 A 14.14.14.14 + AAAA 2001::14 + TXT "a14 text" +a14-cname CNAME a14 + +a0-1 A 192.168.0.1 + AAAA 2001:2::1 + TXT "a0-1 text" + +a3-1 A 192.168.3.1 + AAAA 2001:2:3::1 + TXT "a3-1 text" + +a3-2 A 192.168.3.2 + AAAA 2001:2:3::2 + TXT "a3-2 text" + +a4-1 A 192.168.4.1 + AAAA 2001:2:4::1 + TXT "a4-1 text" +a4-1-aaaa AAAA 2001:2:4::1 + +a4-2 A 192.168.4.2 + AAAA 2001:2:4::2 + TXT "a4-2 text" +a4-2-cname CNAME a4-2 + +a4-3 A 192.168.4.3 + AAAA 2001:2:4::3 + TXT "a4-3 text" +a4-3-cname CNAME a4-3 + +a4-4 A 192.168.4.4 + AAAA 2001:2:4::4 + TXT "a4-4 text" + +a3-6.tld2 A 56.56.56.56 + +a3-7.sub1.tld2 A 57.57.57.57 + +a3-8.tld2 A 58.58.58.58 + +a3-9.sub9.tld2 A 59.59.59.59 + +a3-10.tld2 A 60.60.60.60 diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 95937671..947b28a4 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -14,10 +14,11 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.3 2011-01-13 04:59:24 tbox Exp $ +# $Id: setup.sh,v 1.4 2011-10-13 01:32:32 vjs Exp $ sh clean.sh -for NM in '' -given -no-op -nodata -nxdomain -cname; do - cp -f ns3/base.db ns3/bl$NM.db +# NO-OP is an obsolete synonym for PASSHTRU +for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden; do + sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db done diff --git a/bin/tests/system/rpz/test1 b/bin/tests/system/rpz/test1 index f665505a..c076c093 100644 --- a/bin/tests/system/rpz/test1 +++ b/bin/tests/system/rpz/test1 @@ -12,19 +12,64 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: test1,v 1.5 2011-06-09 03:10:17 marka Exp $ +; $Id: test1,v 1.6 2011-10-13 01:32:32 vjs Exp $ +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + server 10.53.0.3 5300 +; QNAME tests + ; NXDOMAIN update add a0-1.tld2.bl. 300 CNAME . - +; ; NODATA -update add a1-1.tld2.bl. 300 CNAME *. -; and no assert-botch -update add a1-2.tld2.bl. 300 DNAME example.com. - -update add *.sub1.tld2.bl. 300 A 12.12.12.12 - +update add a3-1.tld2.bl. 300 CNAME *. +; and no assert-botch +; 5 +update add a3-2.tld2.bl. 300 DNAME example.com. +; +; NXDOMAIN for a4-2-cname.tld2 via its target a4-2.tld2. +; 6 and 7 +update add a4-2.tld2.bl 300 CNAME . +; 8 +; NODATA for a4-3-cname.tld2 via its target a4-3.tld2. +update add a4-3.tld2.bl 300 CNAME *. +; +; replace the A for a4-1.sub1.tld2 with 12.12.12.12 +; 9 +update add a4-1.sub1.tld2.bl. 300 A 12.12.12.12 +; +; replace the A for *.sub2.tld2 with 12.12.12.12 +; 10 +update add a4-1.sub2.tld2.bl. 300 A 12.12.12.12 +; +; replace NXDOMAIN for {nxc1,nxc2}.sub1.tld2 with 12.12.12.12 using CNAMEs +; 11 +update add nxc1.sub1.tld2.bl. 300 CNAME a12.tld2. +; 12 +update add nxc2.sub1.tld2.bl. 300 CNAME a12-cname.tld2. +; +; prefer the first conflicting zone +; 13 +update add a4-4.tld2.bl. 300 A 127.0.0.1 +send +update add a4-4.tld2.bl-2. 300 A 127.0.0.2 +send +; +; wildcard CNAME +; 14 +update add a3-6.tld2.bl. 300 CNAME *.tld4. +; 15 +update add *.sub1.tld2.bl. 300 CNAME *.tld4. +; CNAME chains +; 16 +update add a4-5.tld2.bl. 300 A 127.0.0.16 +; 17 +update add a4-6.tld2.bl. 300 CNAME . +update add a4-6-cname.tld2.bl. 300 A 127.0.0.17 send diff --git a/bin/tests/system/rpz/test2 b/bin/tests/system/rpz/test2 index 76815972..6d18ab97 100644 --- a/bin/tests/system/rpz/test2 +++ b/bin/tests/system/rpz/test2 @@ -12,24 +12,47 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: test2,v 1.4 2011-01-13 19:30:41 each Exp $ +; $Id: test2,v 1.5 2011-10-13 01:32:32 vjs Exp $ +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +; IP tests + server 10.53.0.3 5300 ; NODATA a3-1.tld2 update add 32.1.3.168.192.rpz-ip.bl 300 CNAME *. - -; NXDOMAIN for network of a4-1.tld2 +; +; NXDOMAIN for 192.168.4.0/24, the network of a4-1.tld2 update add 24.0.4.168.192.rpz-ip.bl 300 CNAME . - +; ; poke hole in NXDOMAIN CIDR block to leave a4-1.tld2 unchanged update add 32.1.4.168.192.rpz-ip.bl 300 CNAME 32.1.4.168.192 - -; NODATA a4-3.tld2 +; +; NODATA for a4-3.tld2 update add 32.3.4.168.192.rpz-ip.bl 300 CNAME *. - +; ; NXDOMAIN for IPv6 a3-1.tld2 update add 128.1.zz.3.2.2001.rpz-ip.bl 300 CNAME . - +; +; apply the policy with the lexically smallest address of 192.168.5.1 +; to an RRset of more than one A RR +update add 32.1.5.168.192.rpz-ip.bl 300 A 127.0.0.1 +update add 32.2.5.168.192.rpz-ip.bl 300 A 127.0.0.2 +; +; prefer first conflicting IP zone for a5-3.tld2 +update add 32.3.5.168.192.rpz-ip.bl 300 A 127.0.0.1 +send +update add 32.3.5.168.192.rpz-ip.bl-2 300 A 127.0.0.2 send + +; prefer QNAME to IP for a5-4.tld2 +update add 32.4.5.168.192.rpz-ip.bl 300 CNAME a12.tld2. +update add a5-4.tld2.bl 300 CNAME a14.tld4. + +; wildcard CNAMEs +;update add diff --git a/bin/tests/system/rpz/test3 b/bin/tests/system/rpz/test3 index 05759aaf..0ecebea7 100644 --- a/bin/tests/system/rpz/test3 +++ b/bin/tests/system/rpz/test3 @@ -12,11 +12,33 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: test3,v 1.4 2011-01-13 19:30:41 each Exp $ +; $Id: test3,v 1.5 2011-10-13 01:32:32 vjs Exp $ -server 10.53.0.3 5300 +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +; NSDNAME tests -update add *.tld2.rpz-nsdname.bl. 300 CNAME . +server 10.53.0.3 5300 +; NXDOMAIN for *.sub1.tld2 by NSDNAME +update add *.sub1.tld2.rpz-nsdname.bl. 300 CNAME . +; +; walled garden for *.sub2.tld2 +update add *.sub2.tld2.rpz-nsdname.bl. 300 CNAME a12-cname.tld2. +; +; exempt a3-2.tld2 and anything in 192.168.0.0/24 +; also checks that IP policies are preferred over NSDNAME policies +update add a3-2.tld2.bl 300 CNAME a3-2.tld2. +update add 24.0.0.168.192.rpz-ip.bl 300 CNAME 24.0.0.168.192. +; +; prefer QNAME policy to NSDNAME policy +update add a4-1.tld2.bl. 300 A 12.12.12.12 +; +; prefer policy for largest NS name +update add ns.sub3.tld2.rpz-nsdname.bl. 300 A 127.0.0.1 +update add ns.subsub.sub3.tld2.rpz-nsdname.bl. 300 A 127.0.0.2 send diff --git a/bin/tests/system/rpz/test4 b/bin/tests/system/rpz/test4 index e614a69a..16a027e7 100644 --- a/bin/tests/system/rpz/test4 +++ b/bin/tests/system/rpz/test4 @@ -12,11 +12,26 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: test4,v 1.4 2011-01-13 19:30:41 each Exp $ +; $Id: test4,v 1.5 2011-10-13 01:32:33 vjs Exp $ +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +; NSIP tests + server 10.53.0.3 5300 +; NXDOMAIN for all of tld2 based on its server IP address update add 32.2.0.53.10.rpz-nsip.bl. 300 CNAME . - +; +; exempt a3-2.tld2 and anything in 192.168.0.0/24 +; also checks that IP policies are preferred over NSIP policies +update add a3-2.tld2.bl 300 CNAME a3-2.tld2. +update add 24.0.0.168.192.rpz-ip.bl 300 CNAME 24.0.0.168.192. +; +; prefer NSIP policy to NSDNAME policy +update add ns.tld2.rpz-nsdname.bl. 300 CNAME 10.0.0.1 send diff --git a/bin/tests/system/rpz/test5 b/bin/tests/system/rpz/test5 index 1f19d1bd..ef8566da 100644 --- a/bin/tests/system/rpz/test5 +++ b/bin/tests/system/rpz/test5 @@ -12,25 +12,34 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: test5,v 1.4 2011-01-13 19:30:41 each Exp $ +; $Id: test5,v 1.5 2011-10-13 01:32:33 vjs Exp $ -server 10.53.0.3 5300 -update add a3-1.tld2.bl-given. 300 CNAME . -send +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' -server 10.53.0.3 5300 -update add a3-2.tld2.bl-no-op. 300 CNAME . -send +; the policies or replacements specified in ns3/named.conf override these server 10.53.0.3 5300 -update add a3-3.tld2.bl-nodata. 300 CNAME . -send -server 10.53.0.3 5300 -update add a3-4.tld2.bl-nxdomain. 300 CNAME *. +update add a3-1.tld2.bl-given. 300 A 127.0.0.1 send - -server 10.53.0.3 5300 -update add a3-5.tld2.bl-cname. 300 CNAME . +update add a3-2.tld2.bl-passthru. 300 A 127.0.0.2 +send +update add a3-3.tld2.bl-no-op. 300 A 127.0.0.3 +send +update add a3-4.tld2.bl-disabled. 300 A 127.0.0.4 +send +update add a3-5.tld2.bl-nodata. 300 A 127.0.0.5 +send +update add a3-6.tld2.bl-nxdomain. 300 A 127.0.0.6 +send +update add a3-7.tld2.bl-cname. 300 A 127.0.0.7 +send +update add a3-8.tld2.bl-wildcname. 300 A 127.0.0.8 +update add *.sub9.tld2.bl-wildcname. 300 A 127.0.1.9 +send +update add a3-10.tld2.bl-garden. 300 A 127.0.0.10 send diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 7aef0eb5..63c2ecfe 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -12,19 +12,21 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.6 2011-06-09 03:10:17 marka Exp $ +# $Id: tests.sh,v 1.8 2011-10-13 13:03:51 marka Exp $ # test response policy zones (RPZ) SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -root=10.53.0.1 -s2=10.53.0.2 -s3=10.53.0.3 +ns1=10.53.0.1 # root, defining the other two +ns2=10.53.0.2 # server whose answers are rewritten +ns3=10.53.0.3 # resolve that does the rewriting +ns4=10.53.0.4 # another server that is rewritten -DIGCMD="$DIG +noadd +nosea +nocmd -p 5300" +RNDCCMD="$RNDC -c ../common/rndc.conf -s $ns3 -p 9953" +HAVE_CORE= USAGE="$0: [-x]" while getopts "x" c; do @@ -42,16 +44,21 @@ fi trap 'exit 1' 1 2 15 +digcmd () { + #echo I:dig +noadd +noauth +nosearch +time=1 +tries=1 -p 5300 $* 1>&2 + $DIG +noadd +noauth +nosearch +time=1 +tries=1 -p 5300 $* +} + # set DIGNM=file name for dig output -# $1=target domain $2=optional query type $3=optional string -dignm () { - DIGNM=dig.out-$DIGNM_SUB-$1 - if test -n "$3"; then - DIGNM=$DIGNM-$3 - fi - if test -n "$2"; then - DIGNM=$DIGNM-`expr "x$2" : 'x-t *\(.*\)'` - fi +GROUP_NM= +TEST_NUM=0 +make_dignm () { + TEST_NUM=`expr $TEST_NUM + 1` + DIGNM=dig.out$GROUP_NM-$TEST_NUM + while test -f $DIGNM; do + TEST_NUM="$TEST_NUM+" + DIGNM=dig.out$GROUP_NM-$TEST_NUM + done } setret () { @@ -59,109 +66,159 @@ setret () { echo "$*" } +# (re)load the reponse policy zones with the rules in the file $TEST_FILE +load_db () { + if test -n "$TEST_FILE"; then + if $NSUPDATE -v $TEST_FILE; then : ; else + echo "I:failed to update policy zone with $TEST_FILE" + exit 1 + fi + fi +} + +restart () { + $RNDCCMD stop >/dev/null 2>&1 + rm -f ns3/*.jnl + for NM in ns3/bl*.db; do + cp -f ns3/base.db $NM + done + (cd ..; $PERL start.pl --noclean --restart rpz ns3) + load_db +} + +ckalive () { + $RNDCCMD status >/dev/null 2>&1 && return 0 + HAVE_CORE=yes + setret "$1" + restart + return 1 +} + +# $1=message $2=optional test file name +start_group () { + ret=0 + test -n "$1" && echo "I:checking $1" + TEST_FILE=$2 + if test -n "$TEST_FILE"; then + GROUP_NM="-$TEST_FILE" + load_db + else + GROUP_NM= + fi + TEST_NUM=0 +} + +end_group () { + if test -n "$TEST_FILE"; then + sed -e 's/[ ]add[ ]/ delete /' $TEST_FILE | $NSUPDATE + TEST_FILE= + fi + status=`expr $status + $ret` + ckalive "I:failed; server crashed" + GROUP_NM= +} + +# $1=dig args $2=other dig output file +ckresult () { + #ckalive "I:server crashed by 'dig $1'" || return 1 + if $PERL ../digcomp.pl $DIGNM $2 >/dev/null; then + rm -f ${DIGNM}* + return 0 + fi + setret "I:'dig $1' wrong; diff $DIGNM $2" + return 1 +} + +# check only that the server does not crash +# $1=target domain $2=optional query type +nocrash () { + digcmd $* @$ns3 >/dev/null + ckalive "I:server crashed by 'dig $*'" +} + + # check rewrite to NXDOMAIN # $1=target domain $2=optional query type nxdomain () { - dignm $1 "$2" - $DIGCMD +noauth $1 $2 @$s3 >$DIGNM - $PERL ../digcomp.pl dig.out-nxdomain $DIGNM || setret " in $DIGNM" + make_dignm + digcmd +noauth $* @$ns3 \ + | sed -e 's/^[a-z].* IN CNAME /;xxx &/' >$DIGNM + ckresult "$*" proto.nxdomain } # check rewrite to NODATA # $1=target domain $2=optional query type nodata () { - dignm $1 "$2" - $DIGCMD +noauth $1 $2 @$s3 >$DIGNM - $PERL ../digcomp.pl dig.out-nodata $DIGNM || setret " in $DIGNM" + make_dignm + digcmd +noauth $* @$ns3 \ + | sed -e 's/^[a-z].* IN CNAME /;xxx &/' >$DIGNM + ckresult "$*" proto.nodata } -# check rewrite to "A 12.12.12.12" -# modify the output so that it is easily matched, but save the original line -# $1=target domain $2=optional query type -a12 () { - dignm $1 "$2" - $DIGCMD +noauth $1 $2 @$s3 \ - | sed -e "/^$1\. /{" \ - -e "s/.*/;xxx &/p" -e "s/^;xxx $1/a12.tld2/" -e '}' \ - >$DIGNM - $PERL ../digcomp.pl dig.out-a12 $DIGNM || ret=1 +# check rewrite to an address +# modify the output so that it is easily compared, but save the original line +# $1=IPv4 address, $2=target domain $3=optional query type +addr () { + ADDR=$1 + shift + ADDR_ESC=`echo "$ADDR" | sed -e 's/\./\\\\./g'` + make_dignm + digcmd +noauth $* @$ns3 >$DIGNM + #ckalive "I:server crashed by 'dig $*'" || return + if grep -i '^[a-z].* A '"$ADDR_ESC"'$' $DIGNM >/dev/null; then + rm -f ${DIGNM}* + return 0 + fi + setret "I:'dig $*' wrong; no A $ADDR record in $DIGNM $2" } # check that a response is not rewritten # $1=target domain $2=optional query type nochange () { - dignm $1 "$2" ok - DIGNM_OK=$DIGNM - dignm $1 "$2" - $DIGCMD $1 $2 @$s3 >$DIGNM - $DIGCMD $1 $2 @$s2 >$DIGNM_OK - $PERL ../digcomp.pl $DIGNM_OK $DIGNM || ret=1 + make_dignm + digcmd $* @$ns3 >$DIGNM + digcmd $* @$ns2 >${DIGNM}_OK + ckresult "$*" ${DIGNM}_OK && rm -f ${DIGNM}_OK } -flush_db () { - if $RNDC -c ../common/rndc.conf -s $s3 -p 9953 freeze; then : ; else - echo "I:failed to freeze policy zone $1" - exit 1 - fi - if $RNDC -c ../common/rndc.conf -s $s3 -p 9953 thaw; then : ; else - echo "I:failed to thaw policy zone $1" - exit 1 - fi +# check against a 'here document' +here () { + make_dignm + sed -e 's/^[ ]*//' >${DIGNM}_OK + digcmd $* @$ns3 >$DIGNM + ckresult "$*" ${DIGNM}_OK } -# $1=message $2=test file -start_test () { - ret=0 - if test -n "$1"; then - echo "I:checking $1" - fi - PREV_FILE=$2 - if test -n "$2"; then - DIGNM_SUB=`expr "$2" : 'test\(.\)'` - if $NSUPDATE -v $PREV_FILE; then : ; else - echo "I:failed to update policy zone $1 with $2" - exit 1 - fi - #flush_db - else - DIGNM_SUB="${DIGNM_SUB}x" - fi -} - -end_test () { - if test $ret != 0; then - echo "I:failed" - else - rm -f dig.out-${DIGNM_SUB}* - fi - if test -n "$PREV_FILE"; then - sed -e 's/ add / delete /' $PREV_FILE | $NSUPDATE - status=`expr $status + $ret` - #flush_db - fi -} +# make prototype files to check against rewritten results +digcmd +noauth nonexistent @$ns2 >proto.nxdomain +digcmd +noauth txt-only.tld2 @$ns2 >proto.nodata -# make NXDOMAIN and NODATA prototypes -echo "I:making prototype RPZ NXDOMAIN, NODATA, and CNAME results" -$DIGCMD +noauth nonexistent @$s2 >dig.out-nxdomain -$DIGCMD +noauth nodata.tld2 @$s2 >dig.out-nodata -$DIGCMD +noauth a12.tld2 @$s2 >dig.out-a12 - status=0 -start_test "RPZ QNAME rewrites" test1 +start_group "QNAME rewrites" test1 +nochange . nxdomain a0-1.tld2 -nodata a1-1.tld2 -nodata a1-2.tld2 -nodata sub.a1-2.tld2 -a12 a4-1.sub1.tld2 -end_test - -start_test "RPZ IP rewrites" test2 +nodata a3-1.tld2 +nodata a3-2.tld2 +nodata sub.a3-2.tld2 # 5 no crash on DNAME +nxdomain a4-2.tld2 # 6 rewrite based on CNAME target +nxdomain a4-2-cname.tld2 # 7 +nodata a4-3-cname.tld2 # 8 +addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement +addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard +addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME +addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain +addr 127.0.0.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone +addr 56.56.56.56 a3-6.tld2 # 14 wildcard CNAME +addr 57.57.57.57 a3-7.sub1.tld2 # 15 wildcard CNAME +addr 127.0.0.16 a4-5-cname3.tld2 # 16 CNAME chain +addr 127.0.0.17 a4-6-cname3.tld2 # 17 stop short in CNAME chain +end_group + +start_group "IP rewrites" test2 nodata a3-1.tld2 nochange a3-2.tld2 -nxdomain a3-99.tld2 nochange a4-1.tld2 nxdomain a4-2.tld2 nochange a4-2.tld2 -taaaa @@ -170,9 +227,13 @@ nxdomain a4-2.tld2 -tany nodata a4-3.tld2 nxdomain a3-1.tld2 -tAAAA nochange a4-1-aaaa.tld2 -tAAAA -end_test +addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address +addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone +addr 14.14.14.14 a5-4.tld2 # 13 prefer QNAME to IP +end_group -start_test "RPZ radix tree deletions" +# check that IP addresses for previous group were deleted from the radix tree +start_group "radix tree deletions" nochange a3-1.tld2 nochange a3-2.tld2 nochange a4-1.tld2 @@ -183,94 +244,73 @@ nochange a4-2.tld2 -tany nochange a4-3.tld2 nochange a3-1.tld2 -tAAAA nochange a4-1-aaaa.tld2 -tAAAA -end_test +nochange a5-1-2.tld2 +end_group if ./rpz nsdname; then - start_test "RPZ NSDNAME rewrites" test3 + start_group "NSDNAME rewrites" test3 nochange a3-1.tld2 - nxdomain a3-1.sub1.tld2 - nxdomain a3-1.sub2.sub1.tld2 - end_test + nochange a3-1.tld2 +dnssec # 2 this once caused problems + nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME + nxdomain a3-1.subsub.sub1.tld2 + nxdomain a3-1.subsub.sub1.tld2 -tany + addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 + nochange a3-2.tld2. # 7 exempt rewrite by name + nochange a0-1.tld2. # 8 exempt rewrite by address block + addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME + addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME + addr 127.0.0.2 a3-1.subsub.sub3.tld2 + nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash + end_group else - echo "I:RPZ NSDNAME not checked; named was not built with --enable-rpz-nsdname" + echo "I:NSDNAME not checked; named not configured with --enable-rpz-nsdname" fi if ./rpz nsip; then - start_test "RPZ NSIP rewrites" test4 - nxdomain a3-1.tld2 - nochange . - end_test + start_group "NSIP rewrites" test4 + nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 by NSIP + nochange a3-2.tld2. # 2 exempt rewrite by name + nochange a0-1.tld2. # 3 exempt rewrite by address block + nochange a3-1.tld4 # 4 different NS IP address + end_group else - echo "I:RPZ NSIP not checked; named was not built with --enable-rpz-nsip" -fi - -start_test "RPZ policy overrides" test5 -nxdomain a3-1.tld2 -nochange a3-2.tld2 -nodata a3-3.tld2 -nxdomain a3-4.tld2 -dignm a3-5.tld2 -tany -$DIGCMD +noauth a3-5.tld2 -tany @$s3 >$DIGNM -if grep CNAME $DIGNM >/dev/null; then : ; else - echo "'policy cname' failed" - ret=1 + echo "I:NSIP not checked; named not configured with --enable-rpz-nsip" fi -end_test - -ret=0 -echo "I:checking RRSIG queries" -# We don't actually care about the query results; the important -# thing is the server handles RRSIG queries okay -$DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1 -$DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1 -$DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1 -$DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1 -$DIGCMD www.cname-redirect -trrsig @$s3 > /dev/null 2>&1 - -$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then - echo "I:failed"; - (cd ..; $PERL start.pl --noclean --restart rpz ns3) -fi -status=`expr $status + $ret` - -ret=0 -echo "I:checking SIG queries" -# We don't actually care about the query results; the important -# thing is the server handles SIG queries okay -$DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1 -$DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1 -$DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1 -$DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1 -$DIGCMD www.cname-redirect -tsig @$s3 > /dev/null 2>&1 - -$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then - echo "I:failed"; - (cd ..; $PERL start.pl --noclean --restart rpz ns3) -fi -status=`expr $status + $ret` - -ret=0 -echo "I:checking ANY queries" -# We don't actually care about the query results; the important -# thing is the server handles SIG queries okay -$DIGCMD a3-1.tld2 -tany @$s3 > /dev/null 2>&1 -$DIGCMD a3-2.tld2 -tany @$s3 > /dev/null 2>&1 -$DIGCMD a3-5.tld2 -tany @$s3 > /dev/null 2>&1 -$DIGCMD www.redirect -tany @$s3 > /dev/null 2>&1 -$DIGCMD www.cname-redirect -tany @$s3 > /dev/null 2>&1 - -$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then - echo "I:failed"; - (cd ..; $PERL start.pl --noclean --restart rpz ns3) -fi -status=`expr $status + $ret` +# policies in ./test5 overridden by response-policy{} in ns3/named.conf +start_group "policy overrides" test5 +addr 127.0.0.1 a3-1.tld2 # 1 bl-given +nochange a3-2.tld2 # 2 bl-passthru +nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru +nochange a3-4.tld2 # 4 bl-disabled +nodata a3-5.tld2 # 5 bl-nodata +nxdomain a3-6.tld2 # 6 bl-nxdomain +here +noauth a3-7.tld2 -tany <<'EOF' # 7 bl_cname + ;; status: NOERROR, x + a3-7.tld2. 300 IN CNAME txt-only.tld2. + txt-only.tld2. 120 IN TXT "txt-only-tld2" +EOF +addr 58.58.58.58 a3-8.tld2 # 8 bl_wildcname +addr 59.59.59.59 a3-9.sub9.tld2 # 9 bl_wildcname +addr 12.12.12.12 a3-10.tld2 # 10 bl-garden +end_group + +# check that miscellaneous bugs are still absent +start_group "crashes" +for Q in RRSIG SIG ANY 'ANY +dnssec'; do + nocrash a3-1.tld2 -t$Q + nocrash a3-2.tld2 -t$Q + nocrash a3-5.tld2 -t$Q + nocrash www.redirect -t$Q + nocrash www.credirect -t$Q +done +end_group -if test "$status" -eq 0; then - rm -f dig.out* +# restart the server to see if that creates a core file +if test -z "$HAVE_CORE"; then + $RNDCCMD halt + restart + test -s ns3/named.core && setret "I:found stray core file; memory leak?" fi echo "I:exit status: $status" |