From 730c6651a0f01e82325cdedfba770475d77b2fd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 26 Jun 2018 12:19:41 +0200 Subject: [PATCH 1/3] Determine "rpz" system test mode based on $mode rather than $DNSRPS_TEST_MODE Change 4897 modified the way the $DNSRPS_TEST_MODE variable is used in bin/tests/system/rpz/tests.sh without updating all references to it, which i.a. causes the $native and $dnsrps variables to not be set in the default testing mode, effectively preventing failed checks from being propagated to the final result of the test. Use $mode instead of $DNSRPS_TEST_MODE where appropriate to fix error handling in the "rpz" system test. --- bin/tests/system/rpz/tests.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index c7d9de8d3a..a55b1bb1fe 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -578,11 +578,11 @@ EOF addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME addr 127.0.0.2 a3-1.subsub.sub3.tld2 nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash - if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then + if [ "$mode" = dnsrps ]; then addr 12.12.12.12 as-ns.tld5. # 13 qname-as-ns fi end_group - if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then + if [ "$mode" = dnsrps ]; then ckstats $ns3 test3 ns3 8 else ckstats $ns3 test3 ns3 7 @@ -594,7 +594,7 @@ EOF nochange a3-2.tld2. # 2 exempt rewrite by name nochange a0-1.tld2. # 3 exempt rewrite by address block nochange a3-1.tld4 # 4 different NS IP address - if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then + if [ "$mode" = dnsrps ]; then addr 12.12.12.12 as-ns.tld5. # 5 ip-as-ns fi end_group @@ -607,7 +607,7 @@ EOF a3-1.tld2. x IN TXT "NSIP walled garden" EOF end_group - if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then + if [ "$mode" = dnsrps ]; then ckstats $ns3 test4 ns3 5 else ckstats $ns3 test4 ns3 4 @@ -712,7 +712,7 @@ EOF echo_i "performance not checked; queryperf not available" fi - if [ "$DNSRPS_TEST_MODE" = dnsrps ]; then + if [ "$mode" = dnsrps ]; then echo_i "checking that dnsrpzd is automatically restarted" OLD_PID=`cat dnsrpzd.pid` $KILL "$OLD_PID" @@ -784,7 +784,7 @@ EOF # dnsrps does not allow NS RRs in policy zones, so this check # with dnsrps results in no rewriting. - if [ "$DNSRPS_TEST_MODE" = native ]; then + if [ "$mode" = native ]; then t=`expr $t + 1` echo_i "checking rpz with delegation fails correctly (${t})" $DIG -p ${PORT} @$ns3 ns example.com > dig.out.$t @@ -792,7 +792,7 @@ EOF fi [ $status -ne 0 ] && pf=fail || pf=pass - case $DNSRPS_TEST_MODE in + case $mode in native) native=$status echo_i "status (native RPZ sub-test): $status ($pf)";; From ff6b717955dda877d202779d7763edd19c0e15a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 26 Jun 2018 12:19:41 +0200 Subject: [PATCH 2/3] Do not use IANA DNSSEC keys in the "rpz" system test With "dnssec-validation" now defaulting to "auto", it needs to be explicitly set to "yes" (the previous default value) for all validating resolvers used in system tests. Ensure that requirement is satisfied by the resolvers used in the "rpz" system test. --- bin/tests/system/rpz/ns2/named.conf.in | 2 ++ bin/tests/system/rpz/ns3/named.conf.in | 2 ++ bin/tests/system/rpz/ns4/named.conf.in | 2 ++ bin/tests/system/rpz/ns5/named.conf.in | 2 ++ bin/tests/system/rpz/ns6/named.conf.in | 2 ++ bin/tests/system/rpz/ns7/named.conf.in | 2 ++ 6 files changed, 12 insertions(+) diff --git a/bin/tests/system/rpz/ns2/named.conf.in b/bin/tests/system/rpz/ns2/named.conf.in index f4f4550ddb..15226401e9 100644 --- a/bin/tests/system/rpz/ns2/named.conf.in +++ b/bin/tests/system/rpz/ns2/named.conf.in @@ -20,6 +20,8 @@ options { listen-on-v6 { none; }; notify no; minimal-responses no; + recursion yes; + dnssec-validation yes; }; key rndc_key { diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in index 091cceaa53..851a055bc9 100644 --- a/bin/tests/system/rpz/ns3/named.conf.in +++ b/bin/tests/system/rpz/ns3/named.conf.in @@ -26,6 +26,8 @@ options { listen-on-v6 { none; }; notify yes; minimal-responses no; + recursion yes; + dnssec-validation yes; response-policy { zone "bl" max-policy-ttl 100; diff --git a/bin/tests/system/rpz/ns4/named.conf.in b/bin/tests/system/rpz/ns4/named.conf.in index 03d0ca0abd..04d6d188fd 100644 --- a/bin/tests/system/rpz/ns4/named.conf.in +++ b/bin/tests/system/rpz/ns4/named.conf.in @@ -20,6 +20,8 @@ options { listen-on-v6 { none; }; notify no; minimal-responses no; + recursion yes; + dnssec-validation yes; }; include "../trusted.conf"; diff --git a/bin/tests/system/rpz/ns5/named.conf.in b/bin/tests/system/rpz/ns5/named.conf.in index 025cff5ff9..00d0725293 100644 --- a/bin/tests/system/rpz/ns5/named.conf.in +++ b/bin/tests/system/rpz/ns5/named.conf.in @@ -28,6 +28,8 @@ options { notify-delay 0; notify yes; minimal-responses no; + recursion yes; + dnssec-validation yes; # turn rpz on or off include "rpz-switch"; diff --git a/bin/tests/system/rpz/ns6/named.conf.in b/bin/tests/system/rpz/ns6/named.conf.in index ccd177f1b2..1cf738399b 100644 --- a/bin/tests/system/rpz/ns6/named.conf.in +++ b/bin/tests/system/rpz/ns6/named.conf.in @@ -22,6 +22,8 @@ options { forward only; forwarders { 10.53.0.3; }; minimal-responses no; + recursion yes; + dnssec-validation yes; response-policy { zone "policy1" min-update-interval 0; diff --git a/bin/tests/system/rpz/ns7/named.conf.in b/bin/tests/system/rpz/ns7/named.conf.in index 8c5c15d10e..842f709923 100644 --- a/bin/tests/system/rpz/ns7/named.conf.in +++ b/bin/tests/system/rpz/ns7/named.conf.in @@ -20,6 +20,8 @@ options { listen-on { 10.53.0.7; }; listen-on-v6 { none; }; minimal-responses no; + recursion yes; + dnssec-validation yes; response-policy { zone "policy2"; From 51522a2b8479987eec480763bd74ad023757fda5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 26 Jun 2018 12:19:41 +0200 Subject: [PATCH 3/3] Add CHANGES entry 4978. [test] Fix error handling and resolver configuration in the "rpz" system test. [GL #312] --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 82078caa96..6cf2b27c9e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4978. [test] Fix error handling and resolver configuration in the + "rpz" system test. [GL #312] + 4977. [func] When starting up, log the same details that would be reported by 'named -V'. [GL #247]