From b28e5ff72174ebc91f0247e22efa6177fa0ccfcc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 5 Jun 2024 15:22:17 +1000 Subject: [PATCH] check 'update-policy 6to4-self' over IPv4 --- bin/tests/system/nsupdate/clean.sh | 1 + .../nsupdate/ns6/2.0.0.2.ip6.addr.db.in | 21 ++++++++++ bin/tests/system/nsupdate/ns6/named.conf.in | 6 +++ bin/tests/system/nsupdate/setup.sh | 1 + bin/tests/system/nsupdate/tests.sh | 42 +++++++++++++++++++ 5 files changed, 71 insertions(+) create mode 100644 bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index 99f3d4d612..de5f3c3be9 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -54,6 +54,7 @@ rm -f ns3/many.test.bk rm -f ns3/nsec3param.test.db rm -f ns3/too-big.test.db rm -f ns5/local.db +rm -f ns6/2.0.0.2.ip6.addr.db rm -f ns6/in-addr.db rm -f ns7/_default.tsigkeys rm -f ns7/example.com.db diff --git a/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in b/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in new file mode 100644 index 0000000000..71609c349d --- /dev/null +++ b/bin/tests/system/nsupdate/ns6/2.0.0.2.ip6.addr.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns5.local.nil. hostmaster.local.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns6 +ns6 A 10.53.0.6 diff --git a/bin/tests/system/nsupdate/ns6/named.conf.in b/bin/tests/system/nsupdate/ns6/named.conf.in index c636cfc754..5ed1623546 100644 --- a/bin/tests/system/nsupdate/ns6/named.conf.in +++ b/bin/tests/system/nsupdate/ns6/named.conf.in @@ -39,3 +39,9 @@ zone "in-addr.arpa" { file "in-addr.db"; update-policy { grant * tcp-self . PTR(1) ANY(2) A; }; }; + +zone "2.0.0.2.ip6.arpa" { + type primary; + file "2.0.0.2.ip6.addr.db"; + update-policy { grant * 6to4-self . NS(10) DS(4); }; +}; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index fab75704bf..6ea5a66027 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -115,6 +115,7 @@ cp ns2/sample.db.in ns2/sample.db cp -f ns1/maxjournal.db.in ns1/maxjournal.db cp -f ns5/local.db.in ns5/local.db +cp -f ns6/2.0.0.2.ip6.addr.db.in ns6/2.0.0.2.ip6.addr.db cp -f ns6/in-addr.db.in ns6/in-addr.db cp -f ns7/in-addr.db.in ns7/in-addr.db cp -f ns7/example.com.db.in ns7/example.com.db diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 3d309d93f1..6a1fb1b3cf 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -759,6 +759,48 @@ if test $ret -ne 0; then status=1 fi +n=$((n + 1)) +ret=0 +echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv4 ($n)" +REVERSE_NAME=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa +$NSUPDATE >nsupdate.out.$n 2>&1 </dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + $REVERSE_NAME NS >dig.out.ns6.$n +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 +fi + +n=$((n + 1)) +echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv4 ($n)" +ret=0 +REVERSE_NAME=6.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa +$NSUPDATE -v >nsupdate.out.$n 2>&1 </dev/null 2>&1 && ret=1 +$DIG $DIGOPTS @10.53.0.6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + $REVERSE_NAME NS >dig.out.ns6.$n || ret=1 +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 +fi + n=$((n + 1)) ret=0 echo_i "check that 'update-policy subdomain' is properly enforced ($n)"