mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

update the rpz tests to use the dummyrpz library

Browse Source 
when testing the DNSRPS API, instead of linking to an installed
librpz.so from fastrpz, we now link to the test library. code that
ran dnsrpzd and checked the fastrpz license is now unnecessary and
has been removed.

two dnsrps-specific test cases in rpz (qname_as_ns and ip_as_ns) have
been removed, because they were only supported by fastrpz and do not
work in the test library. in rpzrecurse, nsip-wait-recurse and
nsdname-wait-recurse are now only tested in native mode, due to those
tests being specific to the native implementation.
This commit is contained in:
Evan Hunt 2023-03-13 19:43:04 -07:00
parent b8b6b10ad2
commit f43de96460
19 changed files with 192 additions and 332 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
bin/tests/system/ckdnsrps.sh
View File

@ -14,9 +14,9 @@
set -e
# Say on stdout whether to test DNSRPS
# and create dnsrps.conf and dnsrps-secondary.conf
# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf
# and differ from dnsrpz.conf which is used by dnsrpzd.
# and creates dnsrps.conf
# Note that dnsrps.conf is included in named.conf
# and differs from dnsrpz.conf which is used by dnsrpzd.
. ../conf.sh
@ -26,15 +26,13 @@ DNSRPS_CMD=../rpz/dnsrps
AS_NS=
TEST_DNSRPS=
MCONF=dnsrps.conf
SCONF=dnsrps-secondary.conf
USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]"
USAGE="$0: [-xAD] [-M dnsrps.conf]"
while getopts "xADM:S:" c; do
case $c in
x) set -x; DEBUG=-x;;
A) AS_NS=yes;;
D) TEST_DNSRPS=yes;;
M) MCONF="$OPTARG";;
S) SCONF="$OPTARG";;
*) echo "$USAGE" 1>&2; exit 1;;
esac
done
@ -46,11 +44,9 @@ fi
# erase any existing conf files
cat /dev/null > $MCONF
cat /dev/null > $SCONF
add_conf () {
echo "$*" >>$MCONF
echo "$*" >>$SCONF
}
if ! $FEATURETEST --enable-dnsrps; then
@ -82,86 +78,6 @@ else
exit 0
fi
CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf
dnsrpzd-sock ../dnsrpzd.sock
dnsrpzd-rpzf ../dnsrpzd.rpzf
dnsrpzd-args '-dddd -L stdout'
log-level 3"
PRIMARY="$CMN"
if [ -n "$AS_NS" ]; then
PRIMARY="$PRIMARY
qname-as-ns yes
ip-as-ns yes"
fi
# write dnsrps settings for primary resolver
cat <<EOF >>$MCONF
$PRIMARY };
EOF
# write dnsrps settings for resolvers that should not start dnsrpzd
cat <<EOF >>$SCONF
$CMN
dnsrpzd '' }; # do not start dnsrpzd
EOF
# DNSRPS is available.
# The test should fail if the license is bad.
add_conf "dnsrps-enable yes;"
# Use alt-dnsrpzd-license.conf if it exists
CUR_L=dnsrpzd-license-cur.conf
ALT_L=alt-dnsrpzd-license.conf
# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist
[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf
if [ -s $ALT_L ]; then
SRC_L=$ALT_L
USE_ALT=
else
SRC_L=../rpz/dnsrpzd-license.conf
USE_ALT="## consider installing alt-dnsrpzd-license.conf"
fi
cp $SRC_L $CUR_L
# parse $CUR_L for the license zone name, primary IP addresses, and optional
# transfer-source IP addresses
eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\
-e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \
-e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \
-e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \
-e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \
-e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
-e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
$CUR_L`
if [ -z "$NAME" ]; then
add_conf "## no DNSRPS tests; no license domain name in $SRC_L"
add_conf '#fail'
exit 0
fi
if [ -z "$IPV4" ]; then
IPV4=license1.fastrpz.com
TS4=
fi
if [ -z "$IPV6" ]; then
IPV6=license1.fastrpz.com
TS6=
fi
# This TSIG key is common and NOT a secret
KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1'
# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems
if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \
| grep -i "^$NAME.*TXT" >/dev/null`; then
exit 0
fi
if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \
| grep -i "^$NAME.*TXT" >/dev/null`; then
exit 0
fi
add_conf "## DNSRPS lacks a valid license via $SRC_L"
[ -z "$USE_ALT" ] || add_conf "$USE_ALT"
add_conf '#fail'
add_conf 'dnsrps-options { log-level 3 };'
add_conf 'dnsrps-enable yes;'
add_conf 'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";'

1
bin/tests/system/rpz/.gitignore vendored
View File

@ -1,2 +1 @@
alt-dnsrpzd-license.conf
dnsrps

5
bin/tests/system/rpz/clean.sh
View File

@ -40,6 +40,7 @@ rm -f ns5/example.db ns5/bl.db ns5/fast-expire.db ns5/expire.conf
rm -f ns8/manual-update-rpz.db
rm -f */policy2.db
rm -f */*.jnl
rm -f dnsrps.cache dnsrps.conf
if [ ${PARTIAL:-unset} = unset ]; then
rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
@ -49,9 +50,7 @@ if [ ${PARTIAL:-unset} = unset ]; then
rm -f ns*/named.lock
rm -f ns*/named.conf
rm -f ns*/*switch
rm -f dnsrps*.conf
rm -f dnsrpzd.conf
rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid
rm -f dnsrps.zones
rm -f ns*/managed-keys.bind*
rm -f tmp
fi

34
bin/tests/system/rpz/dnsrps.c
View File

@ -13,11 +13,8 @@
/*
* -a exit(0) if dnsrps is available or dlopen() msg if not
* -p print the path to dnsrpzd configured in dnsrps so that
* dnsrpzd can be run by a setup.sh script.
* Exit(1) if dnsrps is not available
* -n domain print the serial number of a domain to check if a new
* version of a policy zone has been transferred to dnsrpzd.
* version of a policy zone is ready.
* Exit(1) if dnsrps is not available
* -w sec.ond wait for seconds, because `sleep 0.1` is not portable
*/
@ -37,8 +34,6 @@
#ifdef USE_DNSRPS
#include <dns/librpz.h>
librpz_t *librpz;
#else /* ifdef USE_DNSRPS */
typedef struct {
char c[120];
@ -48,7 +43,7 @@ typedef struct {
static bool
link_dnsrps(librpz_emsg_t *emsg);
#define USAGE "usage: [-ap] [-n domain] [-w sec.onds]\n"
#define USAGE "usage: [-a] [-n domain] [-w sec.onds]\n"
int
main(int argc, char **argv) {
@ -64,7 +59,7 @@ main(int argc, char **argv) {
char *p;
int i;
while ((i = getopt(argc, argv, "apn:w:")) != -1) {
while ((i = getopt(argc, argv, "an:w:")) != -1) {
switch (i) {
case 'a':
if (!link_dnsrps(&emsg)) {
@ -73,18 +68,6 @@ main(int argc, char **argv) {
}
return (0);
case 'p':
if (!link_dnsrps(&emsg)) {
fprintf(stderr, "## %s\n", emsg.c);
return (1);
}
#ifdef USE_DNSRPS
printf("%s\n", librpz->dnsrpzd_path);
#else /* ifdef USE_DNSRPS */
UNREACHABLE();
#endif /* ifdef USE_DNSRPS */
return (0);
case 'n':
if (!link_dnsrps(&emsg)) {
fprintf(stderr, "## %s\n", emsg.c);
@ -92,8 +75,7 @@ main(int argc, char **argv) {
}
#ifdef USE_DNSRPS
/*
* Get the serial number of a policy zone from
* a running dnsrpzd daemon.
* Get the serial number of a policy zone.
*/
clist = librpz->clist_create(&emsg, NULL, NULL, NULL,
NULL, NULL);
@ -101,11 +83,7 @@ main(int argc, char **argv) {
fprintf(stderr, "## %s: %s\n", optarg, emsg.c);
return (1);
}
snprintf(cstr, sizeof(cstr),
"zone %s; dnsrpzd \"\";"
" dnsrpzd-sock dnsrpzd.sock;"
" dnsrpzd-rpzf dnsrpzd.rpzf",
optarg);
snprintf(cstr, sizeof(cstr), "zone %s;", optarg);
client = librpz->client_create(&emsg, clist, cstr,
true);
if (client == NULL) {
@ -162,7 +140,7 @@ main(int argc, char **argv) {
static bool
link_dnsrps(librpz_emsg_t *emsg) {
#ifdef USE_DNSRPS
librpz = librpz_lib_open(emsg, NULL, DNSRPS_LIBRPZ_PATH);
librpz = librpz_lib_open(emsg, NULL, LIBRPZ_LIB_OPEN);
if (librpz == NULL) {
return (false);
}

2
bin/tests/system/rpz/dnsrpzd.conf.in → bin/tests/system/rpz/dnsrps.zones.in
View File

@ -15,8 +15,6 @@
pid-file ../dnsrpzd.pid
include ../dnsrpzd-license-cur.conf
# configure NOTIFY and zone transfers
port @EXTRAPORT1@;
listen-on port @EXTRAPORT1@ { 10.53.0.3; };

23
bin/tests/system/rpz/dnsrpzd-license.conf
View File

@ -1,23 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone isc.license.fastrpz.com {
primaries port 53 {
KEY farsight_fastrpz_license 104.244.14.176;
KEY farsight_fastrpz_license 2620:11c:f008::176;
};
};
key farsight_fastrpz_license {
algorithm hmac-sha256; secret "f405d02b4c8af54855fcebc1";
};

2
bin/tests/system/rpz/ns5/named.conf.in
View File

@ -35,7 +35,7 @@ options {
# turn rpz on or off
include "rpz-switch";
include "../dnsrps-secondary.conf";
include "../dnsrps.conf";
};
key rndc_key {

4
bin/tests/system/rpz/ns6/named.conf.in
View File

@ -36,7 +36,7 @@ options {
nsip-enable yes
nsdname-enable yes;
include "../dnsrps-secondary.conf";
include "../dnsrps.conf";
};
logging { category rpz { default_debug; }; };
@ -58,7 +58,7 @@ zone "policy1" {
file "empty.db";
also-notify { 10.53.0.3 port @EXTRAPORT1@; };
notify-delay 0;
allow-transfer { any; };
allow-transfer { any; };
};
zone "bl.tld2s." {

4
bin/tests/system/rpz/ns7/named.conf.in
View File

@ -32,7 +32,7 @@ options {
nsdname-enable yes
min-update-interval 0;
include "../dnsrps-secondary.conf";
include "../dnsrps.conf";
};
logging { category rpz { default_debug; }; };
@ -54,6 +54,6 @@ zone "policy2" {
file "policy2.db";
also-notify { 10.53.0.3 port @EXTRAPORT1@; };
notify-delay 0;
allow-transfer { any; };
allow-transfer { any; };
request-ixfr no; // force axfr on rndc reload
};

2
bin/tests/system/rpz/ns9/named.conf.in
View File

@ -30,7 +30,7 @@ options {
recursion yes;
dnssec-validation yes;
dns64-server "example.localdomain.";
dns64 64:ff9b::/96 { };
dns64 64:ff9b::/96 { };
response-policy {
zone "rpz";
}

11
bin/tests/system/rpz/ns9/rpz.db
View File

@ -9,8 +9,9 @@
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
rpz. 28800 IN SOA rpz. hostmaster.rpz. 6 10800 3600 2419200 900
rpz. 28800 IN NS .
a-only.example.rpz. 28800 IN CNAME *.
no-a-no-aaaa.example.rpz. 28800 IN CNAME *.
a-plus-aaaa.example.rpz. 28800 IN CNAME *.
$TTL 28800
rpz. IN SOA rpz. hostmaster.rpz. 6 10800 3600 2419200 900
rpz. IN NS .
a-only.example CNAME *.
no-a-no-aaaa.example CNAME *.
a-plus-aaaa.example CNAME *.

18
bin/tests/system/rpz/setup.sh
View File

@ -55,13 +55,13 @@ copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
copy_setports ns10/named.conf.in ns10/named.conf
copy_setports dnsrpzd.conf.in dnsrpzd.conf
copy_setports dnsrps.zones.in dnsrps.zones
# decide whether to test DNSRPS
# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf
# and differ from dnsrpz.conf which is used by dnsrpzd.
$SHELL ../ckdnsrps.sh -A $TEST_DNSRPS $DEBUG
test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS=
# Note that dnsrps.conf is included in named.conf
$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
test -z "$(grep 'testing with DNSRPS' dnsrps.conf)" && TEST_DNSRPS=
touch dnsrps.cache
# set up test policy zones.
# bl is the main test zone
@ -169,11 +169,3 @@ cp ns2/bl.tld2.db.in ns2/bl.tld2.db
cp ns5/empty.db.in ns5/empty.db
cp ns5/empty.db.in ns5/policy2.db
cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db
# Run dnsrpzd to get the license and prime the static policy zones
if test -n "$TEST_DNSRPS"; then
DNSRPZD="$(../rpz/dnsrps -p)"
cd ns3
"$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \
-w 0 -dddd -L stdout >./dnsrpzd.run 2>&1
fi

97
bin/tests/system/rpz/tests.sh
View File

@ -35,6 +35,7 @@ HAVE_CORE=
status=0
t=0
export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache
DEBUG=
SAVE_RESULTS=
ARGS=
@ -67,7 +68,6 @@ DNSRPSCMD=./dnsrps
RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
if test -x $DNSRPSCMD; then
# speed up the many delays for dnsrpzd by waiting only 0.1 seconds
WAIT_CMD="$DNSRPSCMD -w 0.1"
TEN_SECS=100
else
@ -129,10 +129,10 @@ get_sn_fast () {
fi
}
# check that dnsrpzd has loaded its zones
# check that dnsrps provider has zones loaded
# $1=domain
# $2=DNS server IP address
FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf`
FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrps.zones`
dnsrps_loaded() {
test "$mode" = dnsrps || return
n=0
@ -182,7 +182,15 @@ ck_soa() {
# (re)load the response policy zones with the rules in the file $TEST_FILE
load_db () {
if test -n "$TEST_FILE"; then
copy_setports $TEST_FILE tmp
copy_setports $TEST_FILE tmp
for ZONE in bl0 bl1 bl2 bl3 bl4 bl5 bl6 bl7 bl8 bl9 bl10 bl11 bl12 bl13 bl14 bl15 bl16 bl17 bl18 bl19; do
produce_librpz_rules ns5 $ZONE bl
done
produce_librpz_rules ns2 bl.tld2 bl.tld2
cat tmp >> $DNSRPS_TEST_UPDATE_FILE
if $NSUPDATE -v tmp; then :
$RNDCCMD $ns3 sync
else
@ -190,7 +198,7 @@ load_db () {
$RNDCCMD $ns3 sync
exit 1
fi
rm -f tmp
rm -f tmp
fi
}
@ -213,11 +221,11 @@ restart () {
fi
rm -f ns$1/*.jnl
if [ "$2" = "rebuild-bl-rpz" ]; then
if test -f ns$1/base.db; then
if test -f ns$1/base.db; then
for NM in ns$1/bl*.db; do
cp -f ns$1/base.db $NM
done
fi
cp -f ns$1/base.db $NM
done
fi
fi
start_server --noclean --restart --port ${PORT} ns$1
load_db
@ -242,8 +250,8 @@ ckalive () {
}
resetstats () {
NSDIR=$1
eval "${NSDIR}_CNT=''"
NSDIR=$1
eval "${NSDIR}_CNT=''"
}
ckstats () {
@ -279,6 +287,16 @@ ckstatsrange () {
eval "${NSDIR}_CNT=$NEW_CNT"
}
add_librpz_rule() {
echo $1 >> $DNSRPS_TEST_UPDATE_FILE
}
produce_librpz_rules() {
# echo "Producing rules for $1"
ZONEFILE=$1/$3.db
cat $ZONEFILE | egrep -v '^;' | egrep '\<(A|CNAME)\>' | awk -v zone=$2 '{ if (NF == 4) {print "static add "$1"."zone" "$2" "$3" "$4} else if (NF == 3) {print "static add "$1"."zone" 300 "$2" "$3}}' >> $DNSRPS_TEST_UPDATE_FILE
}
# $1=message
# $2=optional test file name
start_group () {
@ -299,9 +317,10 @@ start_group () {
end_group () {
if test -n "$TEST_FILE"; then
# remove the previous set of test rules
copy_setports $TEST_FILE tmp
copy_setports $TEST_FILE tmp
add_librpz_rule "rollback"
sed -e 's/[ ]add[ ]/ delete /' tmp | $NSUPDATE
rm -f tmp
rm -f tmp
TEST_FILE=
fi
ckalive $ns3 "failed; ns3 server crashed and restarted"
@ -510,6 +529,7 @@ for mode in native dnsrps; do
retry_quiet 10 make_proto_nodata
start_group "QNAME rewrites" test1
nochange . # 1 do not crash or rewrite root
nxdomain a0-1.tld2 # 2
nodata a3-1.tld2 # 3
@ -600,13 +620,18 @@ EOF
# updating an response zone policy
cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
rndc_reload ns2 $ns2 bl.tld2
add_librpz_rule "update zone bl.tld2 1 inc"
ck_soa 2 bl.tld2 $ns3
add_librpz_rule "wipe"
produce_librpz_rules ns2 bl.tld2 bl.tld2
nochange a7-1.tld2 # 19 PASSTHRU
# ensure that a clock tick has occurred so that named will do the reload
sleep 1
cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
rndc_reload ns2 $ns2 bl.tld2
add_librpz_rule "update zone bl.tld2 1 inc"
ck_soa 3 bl.tld2 $ns3
produce_librpz_rules ns2 bl.tld2 bl.tld2
nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450)
end_group
ckstats $ns3 test2 ns3 12
@ -647,17 +672,10 @@ EOF
nxdomain a3-1.static-stub # 14
nochange_ns10 a3-1.stub-nomatch # 15
nochange_ns10 a3-1.static-stub-nomatch # 16
if [ "$mode" = dnsrps ]; then
addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns
fi
nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" &&
setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
end_group
if [ "$mode" = dnsrps ]; then
ckstats $ns3 test3 ns3 10
else
ckstats $ns3 test3 ns3 9
fi
ckstats $ns3 test3 ns3 9
# these tests assume "min-ns-dots 0"
start_group "NSIP rewrites" test4
@ -670,9 +688,6 @@ EOF
nxdomain a4-1.static-stub # 6
nochange_ns10 a4-1.stub-nomatch # 7
nochange_ns10 a4-1.static-stub-nomatch # 8
if [ "$mode" = dnsrps ]; then
addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns
fi
nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" &&
setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
end_group
@ -685,11 +700,7 @@ EOF
a3-1.tld2. x IN TXT "NSIP walled garden"
EOF
end_group
if [ "$mode" = dnsrps ]; then
ckstats $ns3 test4 ns3 7
else
ckstats $ns3 test4 ns3 6
fi
ckstats $ns3 test4 ns3 6
# policies in ./test5 overridden by response-policy{} in ns3/named.conf
# and in ns5/named.conf
@ -722,6 +733,7 @@ EOF
ckstats $ns5 test5 ns5 4
# check that miscellaneous bugs are still absent
add_librpz_rule "wipe"
start_group "crashes" test6
for Q in RRSIG SIG ANY 'ANY +dnssec'; do
nocrash a3-1.tld2 -t$Q
@ -789,27 +801,6 @@ EOF
echo_i "performance not checked; queryperf not available"
fi
if [ "$mode" = dnsrps ]; then
echo_i "checking that dnsrpzd is automatically restarted"
OLD_PID=`cat dnsrpzd.pid`
kill "$OLD_PID"
n=0
while true; do
NEW_PID=`cat dnsrpzd.pid 2>/dev/null`
if test -n "$NEW_PID" -a "0$OLD_PID" -ne "0$NEW_PID"; then
#echo "OLD_PID=$OLD_PID NEW_PID=$NEW_PID"
break;
fi
$DIG -p ${PORT} +short +norecurse a0-1.tld2 @$ns3 >/dev/null
n=`expr $n + 1`
if test "$n" -gt $TEN_SECS; then
setret "dnsrpzd did not restart"
break
fi
$WAIT_CMD
done
fi
# Ensure ns3 manages to transfer the fast-expire zone before shutdown.
nextpartreset ns3/named.run
wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run
@ -822,6 +813,7 @@ EOF
# restart the main test RPZ server to see if that creates a core file
if test -z "$HAVE_CORE"; then
stop_server --use-rndc --port ${CONTROLPORT} ns3
add_librpz_rule "restart"
restart 3 "rebuild-bl-rpz"
HAVE_CORE=`find ns* -name '*core*' -print`
test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?"
@ -833,7 +825,7 @@ EOF
if test -n "$EMSGS"; then
setret "error messages in $runfile starting with:"
grep -E 'invalid rpz|rpz.*failed' ns*/named.run | \
sed -e '10,$d' -e 's/^//' | cat_i
sed -e '10,$d' -e 's/^//' | cat_i
fi
done
@ -918,9 +910,11 @@ EOF
nsd $ns5 delete '*.example.com.policy1.' example.com.policy1.
done
t=`expr $t + 1`
echo_i "checking that going from an empty policy zone works (${t})"
nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
add_librpz_rule "update add *.x.servfail.policy2 300 CNAME ."
sleep 1
rndc_reload ns7 $ns7 policy2
$DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t}
@ -977,6 +971,7 @@ EOF
fi
# RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 scenarios.
produce_librpz_rules ns9 rpz rpz
for label in a-only no-a-no-aaaa a-plus-aaaa
do
for type in AAAA A

20
bin/tests/system/rpzextra/ns1/named.conf.in
View File

@ -40,19 +40,19 @@ options {
logging {
channel rpz_passthru {
file "rpz_passthru.txt" versions 3 size 5m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
file "rpz_passthru.txt" versions 3 size 5m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rpz_log {
file "rpz.txt" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
file "rpz.txt" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
category rpz { rpz_log; default_debug; };

1
bin/tests/system/rpzrecurse/.gitignore vendored
View File

@ -5,7 +5,6 @@
/ns3/named2.conf
/ns4/named.conf
/ans5/ans.pid
/dnsrps-secondary.conf
/dnsrps.conf
/dnsrpzd.conf
session.key

3
bin/tests/system/rpzrecurse/clean.sh
View File

@ -29,6 +29,7 @@ rm -f ns2/named.conf.header
rm -f ns3/named.conf
rm -f ns3/named.run.prev
rm -f dnsrps*.conf dnsrpzd*
rm -f dnsrps.cache
rm -f dnsrps*.conf
rm -f ns*/session.key
rm -f ns*/managed-keys.bind* ns*/*.mkeys*

2
bin/tests/system/rpzrecurse/ns2/named.conf.header.in
View File

@ -27,7 +27,7 @@ options {
querylog yes;
# let ns3 start dnsrpzd
include "../dnsrps-secondary.conf";
include "../dnsrps.conf";
};
key rndc_key {

27
bin/tests/system/rpzrecurse/setup.sh
View File

@ -46,6 +46,11 @@ copy_setports ns3/named1.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
# decide whether to test DNSRPS
$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
test -z "`grep 'dnsrps-enable yes' dnsrps.conf`" && TEST_DNSRPS=
touch dnsrps.cache
# setup policy zones for a 64-zone test
i=1
while test $i -le 64
@ -63,25 +68,3 @@ do
done
i=`expr $i + 1`
done
# decide whether to test DNSRPS
$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
test -z "`grep 'dnsrps-enable yes' dnsrps.conf`" && TEST_DNSRPS=
CWD=`pwd`
cat <<EOF >dnsrpzd.conf
PID-FILE $CWD/dnsrpzd.pid;
include $CWD/dnsrpzd-license-cur.conf
zone "policy" { type primary; file "`pwd`/ns3/policy.db"; };
EOF
sed -n -e 's/^ *//' -e "/zone.*.*primary/s@file \"@&$CWD/ns2/@p" ns2/*.conf \
>>dnsrpzd.conf
# Run dnsrpzd to get the license and prime the static policy zones
if test -n "$TEST_DNSRPS"; then
DNSRPZD="`../rpz/dnsrps -p`"
"$DNSRPZD" -D./dnsrpzd.rpzf -S./dnsrpzd.sock -C./dnsrpzd.conf \
-w 0 -dddd -L stdout >./dnsrpzd.run 2>&1
fi

170
bin/tests/system/rpzrecurse/tests.sh
View File

@ -20,6 +20,7 @@ status=0
t=0
export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache
DEBUG=
ARGS=
@ -46,6 +47,7 @@ RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
run_server() {
TESTNAME=$1
start_server_rules $1 $2
echo_i "stopping resolver"
stop_server --use-rndc --port ${CONTROLPORT} ns2
@ -57,6 +59,22 @@ run_server() {
sleep 3
}
start_server_rules() {
FCONF=ns2/named.$1.conf
cat /dev/null > $DNSRPS_TEST_UPDATE_FILE
cat $FCONF | grep 'zone ' | grep ' primary' | while read LINE; do
ZONE=`echo $LINE | sed 's/.*zone "//g' | awk -F '"' '{print $1}'`;
DBFILE=`echo $LINE | sed 's/.*file "//g' | awk -F '"' '{print $1}'`;
cat ns2/$DBFILE | egrep -v '^;' | egrep '\<(A|CNAME)\>' | awk -v zone=$ZONE '{ if (NF == 4) {print "static add "$1"."zone" "$2" "$3" "$4} else if (NF == 3) {print "static add "$1"."zone" 300 "$2" "$3}}' >> $DNSRPS_TEST_UPDATE_FILE
done
}
produce_librpz_rules() {
ZONEFILE=$1/$3.db
cat $ZONEFILE | egrep -v '^;' | egrep '\<(A|CNAME)\>' | awk -v zone=$2 '{ if (NF == 4) {print "static add "$1"."zone" "$2" "$3" "$4} else if (NF == 3) {print "static add "$1"."zone" 300 "$2" "$3}}' >> $DNSRPS_TEST_UPDATE_FILE
}
run_query() {
TESTNAME=$1
LINE=$2
@ -74,7 +92,7 @@ expect_norecurse() {
LINE=$2
NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1`
t=`expr $t + 1`
t=$((t+1))
echo_i "testing $NAME doesn't recurse (${t})"
add_test_marker 10.53.0.2
run_query $TESTNAME $LINE || {
@ -90,7 +108,7 @@ expect_recurse() {
LINE=$2
NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1`
t=`expr $t + 1`
t=$((t+1))
echo_i "testing $NAME recurses (${t})"
add_test_marker 10.53.0.2
run_query $TESTNAME $LINE && {
@ -144,7 +162,7 @@ for mode in native dnsrps; do
# show whether and why DNSRPS is enabled or disabled
sed -n 's/^## //p' dnsrps.conf | cat_i
t=`expr $t + 1`
t=$((t+1))
echo_i "testing that l1.l0 exists without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t}
@ -153,7 +171,7 @@ for mode in native dnsrps; do
status=1
}
t=`expr $t + 1`
t=$((t+1))
echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t}
@ -211,7 +229,7 @@ for mode in native dnsrps; do
for n in $testlist; do
run_server 4$n
ni=$1
t=`expr $t + 1`
t=$((t+1))
echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
add_test_marker 10.53.0.2
c=0
@ -221,7 +239,7 @@ for mode in native dnsrps; do
run_query 4$n $i
c=`expr $c + $?`
done
skipped=`expr 33 - $c`
skipped=$((33-c))
if [ $skipped != $ni ]; then
echo_i "test $t failed (actual=$skipped, expected=$ni)"
status=1
@ -242,7 +260,7 @@ for mode in native dnsrps; do
echo_i "check recursive behavior consistency during policy update races"
run_server 6a
sleep 1
t=`expr $t + 1`
t=$((t+1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t}
@ -256,7 +274,7 @@ for mode in native dnsrps; do
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 `cat dnsrpzd.pid`
sleep 1
t=`expr $t + 1`
t=$((t+1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} &
@ -285,7 +303,7 @@ for mode in native dnsrps; do
cp ns2/saved.policy.local ns2/db.6a.00.policy.local
run_server 6a
sleep 1
t=`expr $t + 1`
t=$((t+1))
echo_i "running dig to cache CNAME record (${t})"
add_test_marker 10.53.0.1 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t}
@ -298,7 +316,7 @@ for mode in native dnsrps; do
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
test -f dnsrpzd.pid && kill -USR1 `cat dnsrpzd.pid`
sleep 1
t=`expr $t + 1`
t=$((t+1))
echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
add_test_marker 10.53.0.2
$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} &
@ -323,7 +341,7 @@ for mode in native dnsrps; do
}
# Check maximum number of RPZ zones (64)
t=`expr $t + 1`
t=$((t+1))
echo_i "testing maximum number of RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server max
@ -335,11 +353,11 @@ for mode in native dnsrps; do
echo_i "test $t failed: didn't get expected answer from policy zone $i"
status=1
}
i=`expr $i + 1`
i=$((i+1))
done
# Check CLIENT-IP behavior
t=`expr $t + 1`
t=$((t+1))
echo_i "testing CLIENT-IP behavior (${t})"
add_test_marker 10.53.0.2
run_server clientip
@ -354,7 +372,7 @@ for mode in native dnsrps; do
}
# Check CLIENT-IP behavior #2
t=`expr $t + 1`
t=$((t+1))
echo_i "testing CLIENT-IP behavior #2 (${t})"
add_test_marker 10.53.0.2
run_server clientip2
@ -384,7 +402,7 @@ for mode in native dnsrps; do
}
# Check RPZ log clause
t=`expr $t + 1`
t=$((t+1))
echo_i "testing RPZ log clause (${t})"
add_test_marker 10.53.0.2
run_server log
@ -407,7 +425,7 @@ for mode in native dnsrps; do
# Check wildcard behavior
t=`expr $t + 1`
t=$((t+1))
echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
add_test_marker 10.53.0.2
run_server wildcard1
@ -422,7 +440,7 @@ for mode in native dnsrps; do
status=1
}
t=`expr $t + 1`
t=$((t+1))
echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
add_test_marker 10.53.0.2
run_server wildcard2
@ -437,7 +455,7 @@ for mode in native dnsrps; do
status=1
}
t=`expr $t + 1`
t=$((t+1))
echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
add_test_marker 10.53.0.2
run_server wildcard3
@ -452,7 +470,7 @@ for mode in native dnsrps; do
status=1
}
t=`expr $t + 1`
t=$((t+1))
echo_i "testing wildcard passthru before explicit drop (${t})"
add_test_marker 10.53.0.2
run_server wildcard4
@ -469,7 +487,7 @@ for mode in native dnsrps; do
if [ "$mode" = "native" ]; then
# Check for invalid prefix length error
t=`expr $t + 1`
t=$((t+1))
echo_i "testing for invalid prefix length error (${t})"
add_test_marker 10.53.0.2
run_server invalidprefixlength
@ -479,68 +497,72 @@ for mode in native dnsrps; do
}
fi
t=`expr $t + 1`
echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsip-wait-recurse yes' (default)"
ret=0
t1=`$PERL -e 'print time()."\n";'`
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
t2=`$PERL -e 'print time()."\n";'`
p1=`expr $t2 - $t1`
echo_i "elapsed time $p1 seconds"
if [ "$mode" = "native" ]; then
t=$((t+1))
echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsip-wait-recurse yes' (default)"
produce_librpz_rules ns3 policy policy
ret=0
t1=`$PERL -e 'print time()."\n";'`
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
t2=`$PERL -e 'print time()."\n";'`
p1=$((t2-t1))
echo_i "elapsed time $p1 seconds"
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named2.conf.in ns3/named.conf
nextpart ns3/named.run > /dev/null
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named2.conf.in ns3/named.conf
nextpart ns3/named.run > /dev/null
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
echo_i "timing 'nsip-wait-recurse no'"
t3=`$PERL -e 'print time()."\n";'`
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
t4=`$PERL -e 'print time()."\n";'`
p2=`expr $t4 - $t3`
echo_i "elapsed time $p2 seconds"
echo_i "timing 'nsip-wait-recurse no'"
echo "update zone policy 0 no_nsip_wait_recurse" > $DNSRPS_TEST_UPDATE_FILE
t3=`$PERL -e 'print time()."\n";'`
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
t4=`$PERL -e 'print time()."\n";'`
p2=$((t4-t3))
echo_i "elapsed time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=`expr $status + $ret`
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=$((status+ret))
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
# restore original named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
nextpart ns3/named.run > /dev/null
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
# restore original named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
nextpart ns3/named.run > /dev/null
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
t=`expr $t + 1`
echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsdname-wait-recurse yes' (default)"
ret=0
t1=`$PERL -e 'print time()."\n";'`
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
t2=`$PERL -e 'print time()."\n";'`
p1=`expr $t2 - $t1`
echo_i "elapsed time $p1 seconds"
t=$((t+1))
echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
add_test_marker 10.53.0.2 10.53.0.3
echo_i "timing 'nsdname-wait-recurse yes' (default)"
ret=0
t1=`$PERL -e 'print time()."\n";'`
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
t2=`$PERL -e 'print time()."\n";'`
p1=$((t2-t1))
echo_i "elapsed time $p1 seconds"
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named3.conf.in ns3/named.conf
nextpart ns3/named.run > /dev/null
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
copy_setports ns3/named3.conf.in ns3/named.conf
nextpart ns3/named.run > /dev/null
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
echo_i "timing 'nsdname-wait-recurse no'"
t3=`$PERL -e 'print time()."\n";'`
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
t4=`$PERL -e 'print time()."\n";'`
p2=`expr $t4 - $t3`
echo_i "elapsed time $p2 seconds"
echo_i "timing 'nsdname-wait-recurse no'"
t3=`$PERL -e 'print time()."\n";'`
$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
t4=`$PERL -e 'print time()."\n";'`
p2=$((t4-t3))
echo_i "elapsed time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=`expr $status + $ret`
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=$((status+ret))
fi
[ $status -ne 0 ] && pf=fail || pf=pass