From 0dd9610c9a16cc25ecc2d782d61c270d4239417a Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Fri, 8 Aug 2025 12:24:47 +0000
Subject: [PATCH] Test the new 'servfail-until-ready' option

Test whether 'servfail-until-ready yes' works by enabling slow
RPZ loading with a USDT probe activation, and checking that named
returns SERVFAIL during the initial RPZ zones processing stage.

The test requires SystemTap (stap, dtrace) to activate the USDT
probe.
---
 bin/tests/system/rpz/ns3/named.conf.in  |  8 ++++++++
 bin/tests/system/rpz/ns3/slow-rpz.db.in | 16 ++++++++++++++++
 bin/tests/system/rpz/setup.sh           |  3 +++
 bin/tests/system/rpz/tests.sh           | 23 +++++++++++++++++++++++
 bin/tests/system/rpz/tests_sh_rpz.py    |  1 +
 5 files changed, 51 insertions(+)
 create mode 100644 bin/tests/system/rpz/ns3/slow-rpz.db.in

diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in
index 66f65fc130..40fff06188 100644
--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@@ -53,6 +53,7 @@ options {
 	    zone "mixed-case-rpz";
 	    zone "evil-cname"  policy cname a12.tld2. ede blocked;
 	    zone "wild-cname"  ede blocked;
+	    zone "slow-rpz";
 	}
 	add-soa yes
 	min-ns-dots 0
@@ -60,6 +61,7 @@ options {
 	min-update-interval 0
 	nsdname-enable yes
 	nsip-enable yes
+	servfail-until-ready yes
 	;
 
 	also-notify { 10.53.0.3 port @EXTRAPORT1@; };
@@ -125,6 +127,12 @@ zone "mixed-case-rpz." {
 	notify no;
 };
 
+zone "slow-rpz." {
+    type primary;
+    file "slow-rpz.db";
+    notify no;
+};
+
 zone "fast-expire." {
 	type secondary;
 	file "fast-expire.db";
diff --git a/bin/tests/system/rpz/ns3/slow-rpz.db.in b/bin/tests/system/rpz/ns3/slow-rpz.db.in
new file mode 100644
index 0000000000..6cdf7fbe00
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/slow-rpz.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	mixed-case-rpz.  hostmaster.ns.mixed-case-rpz. ( 1 3600 1200 604800 60 )
+		NS	ns.tld3.
+
+$GENERATE 1-30	host$	CNAME	.
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index 6286cdd245..1cb027d9bf 100644
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -49,6 +49,9 @@ cp ns3/wild-cname.db.in ns3/wild-cname.db
 
 cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
 
+# a "big" zone (tested with a speical USDT probe enabled to slow down loading)
+cp ns3/slow-rpz.db.in ns3/slow-rpz.db
+
 # a zone that expires quickly and then can't be refreshed
 cp ns5/fast-expire.db.in ns5/fast-expire.db
 cp ns5/expire.conf.in ns5/expire.conf
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 36c10ca95e..a09f04d871 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -31,6 +31,8 @@ ns10=$ns.10 # authoritative server
 
 HAVE_CORE=
 
+NS_PARAMS="-m record -c named.conf -d 99 -g"
+
 status=0
 t=0
 
@@ -831,4 +833,25 @@ $RNDCCMD $ns6 flush
 $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd >dig.out.${t} || setret "failed"
 grep -w "1.1.1.1" dig.out.${t} >/dev/null || setret "failed"
 
+t=$((t + 1))
+echo_i "checking that 'servfail-until-ready yes' works (part 1) (${t})"
+# Restart ns3 with '-T rpzslow'
+stop_server ns3
+nextpart ns3/named.run >/dev/null
+start_server --noclean --restart --port ${PORT} ns3 -- "-D rpz-ns3 $NS_PARAMS -T rpzslow"
+wait_for_log 10 "all zones loaded" ns3/named.run
+# Just any query that is expected to success normally, but should return
+# SERVFAIL because RPZ is still processing.
+$DIG tld2. NS -p ${PORT} @$ns3 >dig.out.${t} || setret "failed"
+grep "status: SERVFAIL" dig.out.${t} >/dev/null || setret "failed"
+
+t=$((t + 1))
+echo_i "checking that 'servfail-until-ready yes' works (part 2) (${t})"
+# The 'slow-rpz.' zone has 30 records (RPZ rules), and '-T rpzslow' forces a
+# 100ms delay for each rule. Wait enough time for processing to finish.
+wait_for_log 10 "slow-rpz: reload done" ns3/named.run
+# Now the same request as in the previous test should return NOERROR
+$DIG tld2. NS -p ${PORT} @$ns3 >dig.out.${t} || setret "failed"
+grep "status: NOERROR" dig.out.${t} >/dev/null || setret "failed"
+
 [ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/rpz/tests_sh_rpz.py b/bin/tests/system/rpz/tests_sh_rpz.py
index 26eef24d18..ad0548a033 100644
--- a/bin/tests/system/rpz/tests_sh_rpz.py
+++ b/bin/tests/system/rpz/tests_sh_rpz.py
@@ -42,6 +42,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/mixed-case-rpz.db",
         "ns3/named.conf.tmp",
         "ns3/named.stats",
+        "ns3/slow-rpz.db",
         "ns3/wild-cname.db",
         "ns5/bl.db",
         "ns5/empty.db",