mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
Check update-policy logs
This commit is contained in:
Mark Andrews
@@ -28,14 +28,14 @@ rm -f keygen.out.*
|
||||
rm -f nextpart.out.*
|
||||
rm -f ns*/managed-keys.bind* ns*/*.mkeys*
|
||||
rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.db ns1/keytests.db
|
||||
rm -f ns1/legacy157.key ns1/legacy161.key ns1/legacy162.key ns1/legacy163.key ns1/legacy164.key ns1/legacy165.key
|
||||
rm -f ns1/many.test.db
|
||||
rm -f ns1/maxjournal.db
|
||||
rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key
|
||||
rm -f ns1/legacy157.key ns1/legacy161.key ns1/legacy162.key ns1/legacy163.key ns1/legacy164.key ns1/legacy165.key
|
||||
rm -f ns1/sample.db
|
||||
rm -f ns1/sha512.key ns1/ddns.key
|
||||
rm -f ns1/tls.conf
|
||||
rm -f ns1/tls.options
|
||||
rm -f ns1/sha512.key ns1/ddns.key
|
||||
rm -f ns10/_default.tsigkeys
|
||||
rm -f ns10/example.com.db
|
||||
rm -f ns10/in-addr.db
|
||||
@@ -48,10 +48,10 @@ rm -f ns3/delegation.test.db
|
||||
rm -f ns3/dnskey.test.db
|
||||
rm -f ns3/dsset-*
|
||||
rm -f ns3/example.db
|
||||
rm -f ns3/relaxed.db
|
||||
rm -f ns3/multisigner.test.db
|
||||
rm -f ns3/many.test.bk
|
||||
rm -f ns3/multisigner.test.db
|
||||
rm -f ns3/nsec3param.test.db
|
||||
rm -f ns3/relaxed.db
|
||||
rm -f ns3/too-big.test.db
|
||||
rm -f ns5/local.db
|
||||
rm -f ns6/2.0.0.2.ip6.addr.db
|
||||
@@ -66,10 +66,12 @@ rm -f ns9/_default.tsigkeys
|
||||
rm -f ns9/denyname.example.db
|
||||
rm -f ns9/example.com.db
|
||||
rm -f ns9/in-addr.db
|
||||
rm -f perl.update_test.out
|
||||
rm -f nsupdate.alg-*
|
||||
rm -f nsupdate.out*
|
||||
rm -f perl.update_test.out
|
||||
rm -f policy.expected.*
|
||||
rm -f policy.log*
|
||||
rm -f typelist.out.*
|
||||
rm -f update.out.*
|
||||
rm -f update.in.*
|
||||
rm -f update.out.*
|
||||
rm -f verylarge
|
||||
|
||||
@@ -36,7 +36,10 @@ RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
|
||||
status=0
|
||||
n=0
|
||||
|
||||
nextpartreset ns1/named.run
|
||||
nextpartreset ns3/named.run
|
||||
nextpartreset ns5/named.run
|
||||
nextpartreset ns6/named.run
|
||||
|
||||
# wait for zone transfer to complete
|
||||
tries=0
|
||||
@@ -64,6 +67,10 @@ has_positive_response() {
|
||||
return 0
|
||||
}
|
||||
|
||||
update_policy_log() {
|
||||
nextpart $1 | sed -n 's/^[^ ]* \(update-policy:.*\)$/\1/p'
|
||||
}
|
||||
|
||||
ret=0
|
||||
echo_i "fetching first copy of zone before update"
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1 || ret=1
|
||||
@@ -91,6 +98,7 @@ digcomp knowngood.ns1.before dig.out.ns2 || ret=1
|
||||
|
||||
ret=0
|
||||
echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log"
|
||||
nextpart ns1/named.run >/dev/null
|
||||
$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 <<END && ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
zone unconfigured.test
|
||||
@@ -105,8 +113,21 @@ grep ' unconfigured.test: not authoritative' ns1/named.run \
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
update_policy_log ns1/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
echo_i "ensure a subdomain is mentioned in its NOTAUTH log"
|
||||
nextpart ns1/named.run >/dev/null
|
||||
$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 <<END && ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
zone sub.sub.example.nil
|
||||
@@ -121,9 +142,22 @@ grep ' sub.sub.example.nil: not authoritative' ns1/named.run \
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
update_policy_log ns1/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
echo_i "updating zone"
|
||||
# nsupdate will print a ">" prompt to stdout as it gets each input line.
|
||||
nextpart ns1/named.run >/dev/null
|
||||
$NSUPDATE -k ns1/ddns.key <<END >/dev/null || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add updated.example.nil. 600 A 10.10.10.1
|
||||
@@ -136,6 +170,33 @@ END
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
update_policy_log ns1/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer=ddns-key.example.nil name=updated.example.nil addr=10.53.0.1 tcp=0 type=A target=
|
||||
update-policy: trying: grant zonesub-key.example.nil zonesub TXT
|
||||
update-policy: next rule: signer does not match identity
|
||||
update-policy: trying: grant ddns-key.example.nil subdomain example.nil ANY
|
||||
update-policy: matched: grant ddns-key.example.nil subdomain example.nil ANY
|
||||
update-policy: using: signer=ddns-key.example.nil name=updated.example.nil addr=10.53.0.1 tcp=0 type=TXT target=
|
||||
update-policy: trying: grant zonesub-key.example.nil zonesub TXT
|
||||
update-policy: next rule: signer does not match identity
|
||||
update-policy: trying: grant ddns-key.example.nil subdomain example.nil ANY
|
||||
update-policy: matched: grant ddns-key.example.nil subdomain example.nil ANY
|
||||
update-policy: using: signer=ddns-key.example.nil name=t.example.nil addr=10.53.0.1 tcp=0 type=A target=
|
||||
update-policy: trying: grant zonesub-key.example.nil zonesub TXT
|
||||
update-policy: next rule: signer does not match identity
|
||||
update-policy: trying: grant ddns-key.example.nil subdomain example.nil ANY
|
||||
update-policy: matched: grant ddns-key.example.nil subdomain example.nil ANY
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
echo_i "sleeping 5 seconds for server to incorporate changes"
|
||||
sleep 5
|
||||
|
||||
@@ -175,6 +236,7 @@ pre=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1
|
||||
|
||||
ret=0
|
||||
echo_i "updating zone"
|
||||
nextpart ns1/named.run >/dev/null
|
||||
# nsupdate will print a ">" prompt to stdout as it gets each input line.
|
||||
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >/dev/null <<END || ret=1
|
||||
zone other.nil.
|
||||
@@ -186,6 +248,21 @@ END
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
update_policy_log ns1/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer=local-ddns name=new.other.nil addr=127.0.0.1 tcp=0 type=A target=
|
||||
update-policy: trying: local
|
||||
update-policy: matched: local
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
echo_i "sleeping 5 seconds for server to incorporate changes"
|
||||
sleep 5
|
||||
|
||||
@@ -208,6 +285,7 @@ digcomp knowngood.ns1.after dig.out.ns1 || ret=1
|
||||
|
||||
ret=0
|
||||
echo_i "testing zone consistency checks"
|
||||
nextpart ns1/named.run >/dev/null
|
||||
# inserting an NS record without a corresponding A or AAAA record should fail
|
||||
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END && ret=1
|
||||
update add other.nil. 600 in ns ns3.other.nil.
|
||||
@@ -242,6 +320,39 @@ grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
update_policy_log ns1/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer=local-ddns name=other.nil addr=127.0.0.1 tcp=0 type=NS target=
|
||||
update-policy: trying: local
|
||||
update-policy: matched: local
|
||||
update-policy: using: signer=local-ddns name=ns4.other.nil addr=127.0.0.1 tcp=0 type=A target=
|
||||
update-policy: trying: local
|
||||
update-policy: matched: local
|
||||
update-policy: using: signer=local-ddns name=other.nil addr=127.0.0.1 tcp=0 type=NS target=
|
||||
update-policy: trying: local
|
||||
update-policy: matched: local
|
||||
update-policy: using: signer=local-ddns name=ns5.other.nil addr=127.0.0.1 tcp=0 type=AAAA target=
|
||||
update-policy: trying: local
|
||||
update-policy: matched: local
|
||||
update-policy: using: signer=local-ddns name=other.nil addr=127.0.0.1 tcp=0 type=NS target=
|
||||
update-policy: trying: local
|
||||
update-policy: matched: local
|
||||
update-policy: using: signer=local-ddns name=other.nil addr=127.0.0.1 tcp=0 type=NS target=
|
||||
update-policy: trying: local
|
||||
update-policy: matched: local
|
||||
update-policy: using: signer=local-ddns name=ns6.other.nil addr=127.0.0.1 tcp=0 type=A target=
|
||||
update-policy: trying: local
|
||||
update-policy: matched: local
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
echo_i "sleeping 5 seconds for server to incorporate changes"
|
||||
sleep 5
|
||||
|
||||
@@ -259,6 +370,7 @@ grep ns6.other.nil dig.out.ns1 >/dev/null 2>&1 || ret=1
|
||||
|
||||
ret=0
|
||||
echo_i "ensure 'check-mx ignore' allows adding MX records containing an address without a warning"
|
||||
nextpart ns1/named.run >/dev/null
|
||||
$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 <<END || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add mx03.example.nil 600 IN MX 10 10.53.0.1
|
||||
@@ -271,8 +383,26 @@ grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 && r
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
update_policy_log ns1/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer=ddns-key.example.nil name=mx03.example.nil addr=10.53.0.1 tcp=0 type=MX target=
|
||||
update-policy: trying: grant zonesub-key.example.nil zonesub TXT
|
||||
update-policy: next rule: signer does not match identity
|
||||
update-policy: trying: grant ddns-key.example.nil subdomain example.nil ANY
|
||||
update-policy: matched: grant ddns-key.example.nil subdomain example.nil ANY
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
echo_i "ensure 'check-mx warn' allows adding MX records containing an address with a warning"
|
||||
nextpart ns1/named.run >/dev/null
|
||||
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END || ret=1
|
||||
update add mx03.other.nil 600 IN MX 10 10.53.0.1
|
||||
send
|
||||
@@ -284,6 +414,21 @@ grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 || ret
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
update_policy_log ns1/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer=local-ddns name=mx03.other.nil addr=127.0.0.1 tcp=0 type=MX target=
|
||||
update-policy: trying: local
|
||||
update-policy: matched: local
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
ret=0
|
||||
echo_i "ensure 'check-mx fail' prevents adding MX records containing an address with a warning"
|
||||
$NSUPDATE >nsupdate.out 2>&1 <<END && ret=1
|
||||
@@ -665,6 +810,7 @@ fi
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check that 'update-policy local' works from localhost address ($n)"
|
||||
nextpart ns5/named.run >/dev/null
|
||||
$NSUPDATE -k ns5/session.key >nsupdate.out.$n 2>&1 <<END || ret=1
|
||||
server 10.53.0.5 ${PORT}
|
||||
local 127.0.0.1
|
||||
@@ -681,10 +827,26 @@ if test $ret -ne 0; then
|
||||
status=1
|
||||
fi
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
ret=0
|
||||
update_policy_log ns5/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer=local-ddns name=fromlocal.local.nil addr=127.0.0.1 tcp=0 type=A target=
|
||||
update-policy: trying: local
|
||||
update-policy: matched: local
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check that 'update-policy local' fails from non-localhost address ($n)"
|
||||
grep 'match on session key not from localhost' ns5/named.run >/dev/null && ret=1
|
||||
nextpart ns5/named.run >/dev/null
|
||||
$NSUPDATE -k ns5/session.key >nsupdate.out.$n 2>&1 <<END && ret=1
|
||||
server 10.53.0.5 ${PORT}
|
||||
local 10.53.0.1
|
||||
@@ -702,9 +864,26 @@ if test $ret -ne 0; then
|
||||
status=1
|
||||
fi
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
ret=0
|
||||
update_policy_log ns5/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer=local-ddns name=nonlocal.local.nil addr=10.53.0.1 tcp=0 type=A target=
|
||||
update-policy: trying: local
|
||||
update-policy: next rule: address not local
|
||||
update-policy: no match found
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check that 'update-policy tcp-self' refuses update of records via UDP ($n)"
|
||||
nextpart ns6/named.run >/dev/null
|
||||
$NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1
|
||||
server 10.53.0.6 ${PORT}
|
||||
local 127.0.0.1
|
||||
@@ -721,9 +900,22 @@ if test $ret -ne 0; then
|
||||
status=1
|
||||
fi
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
ret=0
|
||||
update_policy_log ns6/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check that 'update-policy tcp-self' permits update of records for the client's own address via TCP ($n)"
|
||||
nextpart ns6/named.run >/dev/null
|
||||
$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1
|
||||
server 10.53.0.6 ${PORT}
|
||||
local 127.0.0.1
|
||||
@@ -741,8 +933,25 @@ if test $ret -ne 0; then
|
||||
fi
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
ret=0
|
||||
update_policy_log ns6/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer= name=1.0.0.127.in-addr.arpa addr=127.0.0.1 tcp=1 type=PTR target=localhost
|
||||
update-policy: trying: grant * tcp-self . PTR(1) ANY(2) A
|
||||
update-policy: tcp-self=1.0.0.127.IN-ADDR.ARPA
|
||||
update-policy: matched: grant * tcp-self . PTR(1) ANY(2) A
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check that 'update-policy tcp-self' refuses update of records for a different address from the client's own address via TCP ($n)"
|
||||
ret=0
|
||||
nextpart ns6/named.run >/dev/null
|
||||
$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END && ret=1
|
||||
server 10.53.0.6 ${PORT}
|
||||
local 127.0.0.1
|
||||
@@ -759,9 +968,27 @@ if test $ret -ne 0; then
|
||||
status=1
|
||||
fi
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
ret=0
|
||||
update_policy_log ns6/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer= name=1.0.168.192.in-addr.arpa addr=127.0.0.1 tcp=1 type=PTR target=localhost
|
||||
update-policy: trying: grant * tcp-self . PTR(1) ANY(2) A
|
||||
update-policy: tcp-self=1.0.0.127.IN-ADDR.ARPA
|
||||
update-policy: next rule: tcp-self name does not match record name
|
||||
update-policy: no match found
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv4 ($n)"
|
||||
nextpart ns6/named.run >/dev/null
|
||||
REVERSE_NAME=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
|
||||
$NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1
|
||||
server 10.53.0.6 ${PORT}
|
||||
@@ -780,9 +1007,22 @@ if test $ret -ne 0; then
|
||||
status=1
|
||||
fi
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
ret=0
|
||||
update_policy_log ns6/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv4 ($n)"
|
||||
ret=0
|
||||
nextpart ns6/named.run >/dev/null
|
||||
REVERSE_NAME=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
|
||||
$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1
|
||||
server 10.53.0.6 ${PORT}
|
||||
@@ -802,8 +1042,25 @@ if test $ret -ne 0; then
|
||||
fi
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
ret=0
|
||||
update_policy_log ns6/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer= name=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa addr=10.53.0.6 tcp=1 type=NS target=
|
||||
update-policy: trying: grant * 6to4-self . NS(10) DS(4)
|
||||
update-policy: 6to4-self=6.0.0.0.5.3.a.0.2.0.0.2.IP6.ARPA
|
||||
update-policy: matched: grant * 6to4-self . NS(10) DS(4)
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv6 ($n)"
|
||||
ret=0
|
||||
nextpart ns6/named.run >/dev/null
|
||||
REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
|
||||
$NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1
|
||||
server fd92:7065:b8e:ffff::6 ${PORT}
|
||||
@@ -822,9 +1079,22 @@ if test $ret -ne 0; then
|
||||
status=1
|
||||
fi
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check update-policy logs ($n)"
|
||||
ret=0
|
||||
update_policy_log ns6/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv6 ($n)"
|
||||
ret=0
|
||||
nextpart ns6/named.run >/dev/null
|
||||
REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
|
||||
$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1
|
||||
server fd92:7065:b8e:ffff::6 ${PORT}
|
||||
@@ -843,6 +1113,21 @@ if test $ret -ne 0; then
|
||||
status=1
|
||||
fi
|
||||
|
||||
echo_i "check update-policy logs ($n)"
|
||||
ret=0
|
||||
update_policy_log ns6/named.run >policy.log.$n
|
||||
cat <<EOF >policy.expected.$n
|
||||
update-policy: using: signer= name=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa addr=2002:a35:7::1 tcp=1 type=NS target=
|
||||
update-policy: trying: grant * 6to4-self . NS(10) DS(4)
|
||||
update-policy: 6to4-self=7.0.0.0.5.3.a.0.2.0.0.2.IP6.ARPA
|
||||
update-policy: matched: grant * 6to4-self . NS(10) DS(4)
|
||||
EOF
|
||||
diff policy.expected.$n policy.log.$n || ret=1
|
||||
[ $ret = 0 ] || {
|
||||
echo_i "failed"
|
||||
status=1
|
||||
}
|
||||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
|
||||
|
||||
Reference in New Issue
Block a user