diff --git a/CHANGES b/CHANGES index 4cd7125642..338948dc8b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3541. [bug] The parts if libdns was not being properly initialized + in when built in libexport mode. [RT #33028] + 3540. [bug] libt_api: t_info and t_assert were not thread safe. 3539. [port] win32: timestamp format didn't match other platforms. diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 17e60a9104..9e8b6944f2 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -53,6 +53,7 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234" JOURNALPRINT=$TOP/bin/tools/named-journalprint VERIFY=$TOP/bin/dnssec/dnssec-verify ARPANAME=$TOP/bin/tools/arpaname +SAMPLE=$TOP/lib/export/samples/sample # The "stress" test is not run by default since it creates enough # load on the machine to make it unusable to other users. diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index d53692e44c..f188ad461e 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -31,6 +31,7 @@ rm -f ns2/single-nsec3.db rm -f ns2/nsec3chain-test.db rm -f */example.bk rm -f dig.out.* +rm -f sample.out* rm -f random.data rm -f ns2/dlv.db rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 36ee60668f..1dfd0c0c3d 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -73,3 +73,8 @@ cp managed.conf ../ns4/managed.conf keyid=`expr $keyname : 'K.+001+\(.*\)'` keyid=`expr $keyid + 0` echo "$keyid" > managed.key.id +cat $keyname.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print "-a $alg -e -k $dn -K $key\n" +' > sample.key diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index c1b102134b..35b2658556 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -28,6 +28,7 @@ n=1 rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" +SAMPLEKEY=`cat ns1/sample.key` # convert private-type records to readable form showprivate () { @@ -133,6 +134,17 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking postive validation NSEC using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.example > sample.out$n || ret=1 + grep "a.example..*10.0.0.1" sample.out$n > /dev/null || ret=1 + grep "a.example..*.RRSIG.A 3 2 300 .*" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking positive validation NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ @@ -145,6 +157,17 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking positive validation NSEC3 using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.nsec3.example > sample.out$n || ret=1 + grep "a.nsec3.example..*10.0.0.1" sample.out$n > /dev/null || ret=1 + grep "a.nsec3.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking positive validation OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ @@ -157,6 +180,17 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking positive validation OPTOUT using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.optout.example > sample.out$n || ret=1 + grep "a.optout.example..*10.0.0.1" sample.out$n > /dev/null || ret=1 + grep "a.optout.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking positive wildcard validation NSEC ($n)" ret=0 $DIG $DIGOPTS a.wild.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 @@ -168,6 +202,17 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking positive wildcard validation NSEC using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.example > sample.out$n || ret=1 + grep "a.wild.example..*10.0.0.27" sample.out$n > /dev/null || ret=1 + grep "a.wild.example..*RRSIG.A 3 2 300.*" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking positive wildcard answer NSEC3 ($n)" ret=0 $DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 @@ -179,9 +224,9 @@ status=`expr $status + $ret` echo "I:checking positive wildcard answer NSEC3 ($n)" ret=0 -$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -197,6 +242,17 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking positive wildcard validation NSEC3 using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.nsec3.example > sample.out$n || ret=1 + grep "a.wild.nsec3.example..*10.0.0.6" sample.out$n > /dev/null || ret=1 + grep "a.wild.nsec3.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking positive wildcard validation OPTOUT ($n)" ret=0 $DIG $DIGOPTS a.wild.optout.example. \ @@ -210,6 +266,17 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking positive wildcard validation OPTOUT using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.optout.example > sample.out$n || ret=1 + grep "a.wild.optout.example..*10.0.0.6" sample.out$n > /dev/null || ret=1 + grep "a.wild.optout.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking negative validation NXDOMAIN NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 @@ -221,6 +288,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking negative validation NXDOMAIN NSEC using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth q.nsec3.example. \ @@ -234,6 +311,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.nsec3.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth q.optout.example. \ @@ -248,6 +335,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.optout.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking negative validation NODATA NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 @@ -260,6 +357,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking negative validation NODATA NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ @@ -274,6 +381,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking negative validation NODATA NSEC3 using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.nsec3.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking negative validation NODATA OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ @@ -288,6 +405,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.optout.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking negative wildcard validation NSEC ($n)" ret=0 $DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 @@ -299,6 +426,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking negative wildcard validation NSEC using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.wild.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking negative wildcard validation NSEC3 ($n)" ret=0 $DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 @@ -309,6 +446,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking negative wildcard validation NSEC3 using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.wild.nsec3.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking negative wildcard validation OPTOUT ($n)" ret=0 $DIG $DIGOPTS b.wild.optout.example. \ @@ -323,6 +470,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking negative wildcard validation OPTOUT using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.optout.nsec3.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + # Check the insecure.example domain echo "I:checking 1-server insecurity proof NSEC ($n)" @@ -337,6 +494,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking 1-server insecurity proof NSEC using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.example > sample.out$n || ret=1 + grep "a.insecure.example..*10.0.0.1" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking 1-server insecurity proof NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 @@ -349,6 +516,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking 1-server insecurity proof NSEC3 using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.nsec3.example > sample.out$n || ret=1 + grep "a.insecure.nsec3.example..*10.0.0.1" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking 1-server insecurity proof OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 @@ -361,6 +538,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking 1-server insecurity proof OPTOUT using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.optout.example > sample.out$n || ret=1 + grep "a.insecure.optout.example..*10.0.0.1" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking 1-server negative insecurity proof NSEC ($n)" ret=0 $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ @@ -375,6 +562,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking 1-server negative insecurity proof NSEC using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking 1-server negative insecurity proof NSEC3 ($n)" ret=0 $DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.3 \ @@ -389,6 +586,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.nsec3.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking 1-server negative insecurity proof OPTOUT ($n)" ret=0 $DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.3 \ @@ -403,6 +610,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.optout.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking 1-server negative insecurity proof with SOA hack NSEC ($n)" ret=0 $DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \ @@ -590,6 +807,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking failed validation using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.bogus.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: no valid RRSIG" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + # Try validating with a bad trusted key. # This should fail. @@ -625,6 +852,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -e ${SAMPLE} ] ; then + ret=0 + echo "I:checking that validation fails when key record is missing using dns_client ($n)" + $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.b.keyless.example > /dev/null 2> sample.out$n || ret=1 + grep "resolution failed: broken trust chain" sample.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)" ret=0 #prime @@ -1814,7 +2051,7 @@ echo "I:testing legacy upper case signer name validation ($n)" ret=0 $DIG +tcp +dnssec -p 5300 +noadd +noauth soa upper.example @10.53.0.4 \ > dig.out.ns4.test$n 2>&1 -grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1 +grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1 grep 'RRSIG.*SOA.* UPPER\.EXAMPLE\. ' dig.out.ns4.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi @@ -1824,7 +2061,7 @@ echo "I:testing that we lower case signer name ($n)" ret=0 $DIG +tcp +dnssec -p 5300 +noadd +noauth soa LOWER.EXAMPLE @10.53.0.4 \ > dig.out.ns4.test$n 2>&1 -grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1 +grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1 grep 'RRSIG.*SOA.* lower\.example\. ' dig.out.ns4.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh index a3a28aff06..297e513831 100644 --- a/bin/tests/system/resolver/clean.sh +++ b/bin/tests/system/resolver/clean.sh @@ -31,3 +31,4 @@ rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl rm -f ns7/server.db ns7/server.db.jnl rm -f random.data +rm -f sample.out diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index a803916577..b9ff68abc1 100644 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -30,17 +30,44 @@ grep "status: NXDOMAIN" dig.out > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -x ${SAMPLE} ] ; then +echo "I:checking non-cachable NXDOMAIN response handling using dns_client" + ret=0 + ${SAMPLE} -p 5300 -t a 10.53.0.1 nxdomain.example.net 2> sample.out || ret=1 + grep "resolution failed: ncache nxdomain" sample.out > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking non-cachable NODATA response handling" ret=0 $DIG +tcp nodata.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1 grep "status: NOERROR" dig.out > /dev/null || ret=1 - if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` + +if [ -x ${SAMPLE} ] ; then + echo "I:checking non-cachable NODATA response handling using dns_client" + ret=0 + ${SAMPLE} -p 5300 -t a 10.53.0.1 nodata.example.net 2> sample.out || ret=1 + grep "resolution failed: ncache nxrrset" sample.out > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking handling of bogus referrals" # If the server has the "INSIST(!external)" bug, this query will kill it. $DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1 +if [ -x ${SAMPLE} ] ; then + echo "I:checking handling of bogus referrals using dns_client" + ret=0 + ${SAMPLE} -p 5300 -t a 10.53.0.1 www.example.com 2> sample.out || ret=1 + grep "resolution failed: failure" sample.out > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:check handling of cname + other data / 1" $DIG +tcp cname1.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1 @@ -71,6 +98,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` + +if [ -x ${SAMPLE} ] ; then + echo "I:checking answer IPv4 address filtering using dns_client (accept)" + ret=0 + ${SAMPLE} -p 5300 -t a 10.53.0.1 www.example.org > sample.out || ret=1 + grep "www.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking answer IPv6 address filtering (accept)" ret=0 $DIG +tcp www.example.org @10.53.0.1 aaaa -p 5300 > dig.out || ret=1 @@ -78,6 +115,15 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -x ${SAMPLE} ] ; then + echo "I:checking answer IPv6 address filtering using dns_client (accept)" + ret=0 + ${SAMPLE} -p 5300 -t aaaa 10.53.0.1 www.example.org > sample.out || ret=1 + grep "www.example.org..*.2001:db8:beef::1" sample.out > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking CNAME target filtering (deny)" ret=0 $DIG +tcp badcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1 @@ -92,6 +138,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -x ${SAMPLE} ] ; then + echo "I:checking CNAME target filtering using dns_client (accept)" + ret=0 + ${SAMPLE} -p 5300 -t a 10.53.0.1 goodcname.example.net > sample.out || ret=1 + grep "goodcname.example.net..*.goodcname.example.org." sample.out > /dev/null || ret=1 + grep "goodcname.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking CNAME target filtering (accept due to subdomain)" ret=0 $DIG +tcp cname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1 @@ -99,6 +155,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -x ${SAMPLE} ] ; then + echo "I:checking CNAME target filtering using dns_client (accept due to subdomain)" + ret=0 + ${SAMPLE} -p 5300 -t a 10.53.0.1 cname.sub.example.org > sample.out || ret=1 + grep "cname.sub.example.org..*.ok.sub.example.org." sample.out > /dev/null || ret=1 + grep "ok.sub.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking DNAME target filtering (deny)" ret=0 $DIG +tcp foo.baddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1 @@ -113,6 +179,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -x ${SAMPLE} ] ; then + echo "I:checking DNAME target filtering using dns_client (accept)" + ret=0 + ${SAMPLE} -p 5300 -t a 10.53.0.1 foo.gooddname.example.net > sample.out || ret=1 + grep "foo.gooddname.example.net..*.gooddname.example.org" sample.out > /dev/null || ret=1 + grep "foo.gooddname.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:checking DNAME target filtering (accept due to subdomain)" ret=0 $DIG +tcp www.dname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1 @@ -120,6 +196,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +if [ -x ${SAMPLE} ] ; then + echo "I:checking DNAME target filtering using dns_client (accept due to subdomain)" + ret=0 + ${SAMPLE} -p 5300 -t a 10.53.0.1 www.dname.sub.example.org > sample.out || ret=1 + grep "www.dname.sub.example.org..*.ok.sub.example.org." sample.out > /dev/null || ret=1 + grep "www.ok.sub.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + n=`expr $n + 1` echo "I: RT21594 regression test check setup ($n)" ret=0 diff --git a/lib/dns/adb.c b/lib/dns/adb.c index 8c10f99be1..d07ce03470 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -2369,7 +2369,8 @@ destroy(dns_adb_t *adb) { adb->magic = 0; isc_task_detach(&adb->task); - isc_task_detach(&adb->excl); + if (adb->excl != NULL) + isc_task_detach(&adb->excl); isc_mempool_destroy(&adb->nmp); isc_mempool_destroy(&adb->nhmp); diff --git a/lib/dns/client.c b/lib/dns/client.c index 7af3e330f0..4a28178249 100644 --- a/lib/dns/client.c +++ b/lib/dns/client.c @@ -354,6 +354,12 @@ dns_client_create(dns_client_t **clientp, unsigned int options) { isc_taskmgr_t *taskmgr = NULL; isc_socketmgr_t *socketmgr = NULL; isc_timermgr_t *timermgr = NULL; +#if 0 + /* XXXMPA add debug logging support */ + isc_log_t *lctx = NULL; + isc_logconfig_t *logconfig = NULL; + unsigned int logdebuglevel = 0; +#endif result = isc_mem_create(0, 0, &mctx); if (result != ISC_R_SUCCESS) @@ -373,7 +379,18 @@ dns_client_create(dns_client_t **clientp, unsigned int options) { result = isc_timermgr_createinctx(mctx, actx, &timermgr); if (result != ISC_R_SUCCESS) goto cleanup; - +#if 0 + result = isc_log_create(mctx, &lctx, &logconfig); + if (result != ISC_R_SUCCESS) + goto cleanup; + isc_log_setcontext(lctx); + dns_log_init(lctx); + dns_log_setcontext(lctx); + result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL); + if (result != ISC_R_SUCCESS) + goto cleanup; + isc_log_setdebuglevel(lctx, logdebuglevel); +#endif result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr, options, clientp); if (result != ISC_R_SUCCESS) @@ -485,6 +502,7 @@ dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr, client->update_udpretries = DEF_UPDATE_UDPRETRIES; client->find_timeout = DEF_FIND_TIMEOUT; client->find_udpretries = DEF_FIND_UDPRETRIES; + client->attributes = 0; client->references = 1; client->magic = DNS_CLIENT_MAGIC; diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c index 3dd469cbe7..91c9426565 100644 --- a/lib/dns/ecdb.c +++ b/lib/dns/ecdb.c @@ -80,8 +80,11 @@ typedef struct rdatasetheader { /* Copied from rbtdb.c */ #define RDATASET_ATTR_NXDOMAIN 0x0010 +#define RDATASET_ATTR_NEGATIVE 0x0100 #define NXDOMAIN(header) \ (((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0) +#define NEGATIVE(header) \ + (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0) static isc_result_t dns_ecdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type, @@ -406,6 +409,8 @@ bind_rdataset(dns_ecdb_t *ecdb, dns_ecdbnode_t *node, rdataset->trust = header->trust; if (NXDOMAIN(header)) rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN; + if (NEGATIVE(header)) + rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE; rdataset->private1 = ecdb; rdataset->private2 = node; @@ -469,6 +474,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, header->attributes = 0; if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) header->attributes |= RDATASET_ATTR_NXDOMAIN; + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) + header->attributes |= RDATASET_ATTR_NEGATIVE; ISC_LINK_INIT(header, link); ISC_LIST_APPEND(ecdbnode->rdatasets, header, link); diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 5c220b7b32..90cf907828 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -4432,6 +4432,14 @@ validated(isc_task_t *task, isc_event_t *event) { fctx->attributes |= FCTX_ATTR_HAVEANSWER; if (hevent != NULL) { + /* + * Negative results must be indicated in event->result. + */ + if (dns_rdataset_isassociated(hevent->rdataset) && + NEGATIVE(hevent->rdataset)) { + INSIST(eresult == DNS_R_NCACHENXDOMAIN || + eresult == DNS_R_NCACHENXRRSET); + } hevent->result = eresult; RUNTIME_CHECK(dns_name_copy(vevent->name, dns_fixedname_name(&hevent->foundname), NULL) diff --git a/lib/dns/validator.c b/lib/dns/validator.c index c1b71fedab..d04954a59c 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -974,9 +974,6 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); - if (val->view->zonetable == NULL) - return (ISC_R_CANCELED); - if (isc_time_now(&now) == ISC_R_SUCCESS && dns_resolver_getbadcache(val->view->resolver, name, type, &now)) { diff --git a/lib/dns/view.c b/lib/dns/view.c index dff4ae7323..fafacf3c31 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -100,8 +100,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, if (result != ISC_R_SUCCESS) goto cleanup_name; -#ifdef BIND9 view->zonetable = NULL; +#ifdef BIND9 result = dns_zt_create(mctx, rdclass, &view->zonetable); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, @@ -232,6 +232,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, ISC_EVENT_INIT(&view->reqevent, sizeof(view->reqevent), 0, NULL, DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown, view, NULL, NULL, NULL); + view->viewlist = NULL; view->magic = DNS_VIEW_MAGIC; *viewp = view; @@ -902,11 +903,14 @@ dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) { REQUIRE(DNS_VIEW_VALID(view)); - result = dns_zt_find(view->zonetable, name, 0, NULL, zonep); - if (result == DNS_R_PARTIALMATCH) { - dns_zone_detach(zonep); + if (view->zonetable != NULL) { + result = dns_zt_find(view->zonetable, name, 0, NULL, zonep); + if (result == DNS_R_PARTIALMATCH) { + dns_zone_detach(zonep); + result = ISC_R_NOTFOUND; + } + } else result = ISC_R_NOTFOUND; - } return (result); } diff --git a/lib/export/samples/sample.c b/lib/export/samples/sample.c index c7c542b1e5..4799d5ec45 100644 --- a/lib/export/samples/sample.c +++ b/lib/export/samples/sample.c @@ -172,7 +172,9 @@ set_key(dns_client_t *client, char *keynamestr, char *keystr, } static void -addserver(dns_client_t *client, const char *addrstr, const char *namespace) { +addserver(dns_client_t *client, const char *addrstr, const char *port, + const char *namespace) +{ struct addrinfo hints, *res; int gai_error; isc_sockaddr_t sa; @@ -188,7 +190,7 @@ addserver(dns_client_t *client, const char *addrstr, const char *namespace) { hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; hints.ai_flags = AI_NUMERICHOST; - gai_error = getaddrinfo(addrstr, "53", &hints, &res); + gai_error = getaddrinfo(addrstr, port, &hints, &res); if (gai_error != 0) { fprintf(stderr, "getaddrinfo failed: %s\n", gai_strerror(gai_error)); @@ -245,8 +247,9 @@ main(int argc, char *argv[]) { isc_mem_t *keymctx = NULL; unsigned int clientopt, resopt; isc_boolean_t is_sep = ISC_FALSE; + const char *port = "53"; - while ((ch = getopt(argc, argv, "a:es:t:k:K:")) != -1) { + while ((ch = getopt(argc, argv, "a:es:t:k:K:p:")) != -1) { switch (ch) { case 't': tr.base = optarg; @@ -279,6 +282,9 @@ main(int argc, char *argv[]) { case 'K': keystr = optarg; break; + case 'p': + port = optarg; + break; default: usage(); } @@ -318,11 +324,11 @@ main(int argc, char *argv[]) { } /* Set the nameserver */ - addserver(client, argv[0], NULL); + addserver(client, argv[0], port, NULL); /* Set the alternate nameserver (when specified) */ if (altserver != NULL) - addserver(client, altserveraddr, altservername); + addserver(client, altserveraddr, port, altservername); /* Install DNSSEC key (if given) */ if (keynamestr != NULL) {