check 'update-policy 6to4-self' over IPv6

2025-08-31 06:25:31 +00:00 · 2024-06-07 13:28:48 +10:00
parent b28e5ff721
commit 3b0de4773b
10 changed files with 60 additions and 1 deletions
--- a/bin/tests/system/ifconfig.sh.in
+++ b/bin/tests/system/ifconfig.sh.in
@@ -21,6 +21,7 @@
 #       fd92:7065:b8e:99ff::{1..2}
 #       fd92:7065:b8e:ff::{1..2}
 #       fd92:7065:b8e:fffe::10.53.0.4
+#       2002:0a35:0007::1                       6to4 for 10.53.0.7
 #
 # We also set the MTU on the 1500 bytes to match the default MTU on physical
 # interfaces, so we can properly test the cases with packets bigger than
@@ -241,7 +242,7 @@ sequence() (
 max=11
 case $1 in
  start | up | stop | down)
-    for i in $(sequence 0 3); do
+    for i in $(sequence 0 4); do
      case $i in
        0) ipv6="ff" ;;
        1) ipv6="99" ;;
@@ -261,6 +262,11 @@ case $1 in
            a=
            aaaa=fd92:7065:b8e:fffe::10.53.0.$ns
            ;;
+          4)
+            [ $ns -ne 1 ] && continue
+            a=
+            aaaa=2002:0a35:0007::$ns
+            ;;
        esac
        case "$1" in
          start | up) up ;;
--- a/bin/tests/system/nsupdate/ns10/named.conf.in
+++ b/bin/tests/system/nsupdate/ns10/named.conf.in
@@ -21,6 +21,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.10; };
 	listen-on tls ephemeral { 10.53.0.10; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns5/named.conf.in
+++ b/bin/tests/system/nsupdate/ns5/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns6/named.conf.in
+++ b/bin/tests/system/nsupdate/ns6/named.conf.in
@@ -15,10 +15,14 @@ options {
 	query-source address 10.53.0.6;
 	notify-source 10.53.0.6;
 	transfer-source 10.53.0.6;
+	query-source-v6 address fd92:7065:b8e:ffff::6;
+	notify-source-v6 fd92:7065:b8e:ffff::6;
+	transfer-source-v6 fd92:7065:b8e:ffff::6;
 	port @PORT@;
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.6; };
+	listen-on-v6 { fd92:7065:b8e:ffff::6; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns7/named1.conf.in
+++ b/bin/tests/system/nsupdate/ns7/named1.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns7/named2.conf.in
+++ b/bin/tests/system/nsupdate/ns7/named2.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns8/named.conf.in
+++ b/bin/tests/system/nsupdate/ns8/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns9/named.conf.in
+++ b/bin/tests/system/nsupdate/ns9/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -801,6 +801,48 @@ if test $ret -ne 0; then
  status=1
 fi

+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv6 ($n)"
+REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
+$NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1
+server fd92:7065:b8e:ffff::6 ${PORT}
+local 2002:a35:7::1
+zone 2.0.0.2.ip6.arpa
+update add ${REVERSE_NAME} 600 NS localhost.
+send
+END
+grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @fd92:7065:b8e:ffff::6 \
+  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+  $REVERSE_NAME NS >dig.out.ns6.$n
+grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1
+if test $ret -ne 0; then
+  echo_i "failed"
+  status=1
+fi
+
+n=$((n + 1))
+echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv6 ($n)"
+ret=0
+REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
+$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1
+server fd92:7065:b8e:ffff::6 ${PORT}
+local 2002:a35:7::1
+zone 2.0.0.2.ip6.arpa
+update add ${REVERSE_NAME} 600 NS localhost.
+send
+END
+grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1
+$DIG $DIGOPTS @fd92:7065:b8e:ffff::6 \
+  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+  $REVERSE_NAME NS >dig.out.ns6.$n || ret=1
+grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1
+if test $ret -ne 0; then
+  echo_i "failed"
+  status=1
+fi
+
 n=$((n + 1))
 ret=0
 echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
--- a/bin/tests/system/org.isc.bind.system
+++ b/bin/tests/system/org.isc.bind.system
@@ -28,3 +28,4 @@ do
 	ifup 2 00 $ns
 done
 /sbin/ifconfig lo0 inet6 fd92:7065:b8e:fffe::10.53.0.4 alias
+/sbin/ifconfig lo0 inet6 2002:a35:7::1 alias