diff --git a/bin/tests/system/ckdnsrps.sh b/bin/tests/system/ckdnsrps.sh index 846c95f100..b64b8c3f77 100644 --- a/bin/tests/system/ckdnsrps.sh +++ b/bin/tests/system/ckdnsrps.sh @@ -14,9 +14,9 @@ set -e # Say on stdout whether to test DNSRPS -# and create dnsrps.conf and dnsrps-secondary.conf -# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf -# and differ from dnsrpz.conf which is used by dnsrpzd. +# and creates dnsrps.conf +# Note that dnsrps.conf is included in named.conf +# and differs from dnsrpz.conf which is used by dnsrpzd. . ../conf.sh @@ -26,15 +26,13 @@ DNSRPS_CMD=../rpz/dnsrps AS_NS= TEST_DNSRPS= MCONF=dnsrps.conf -SCONF=dnsrps-secondary.conf -USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]" +USAGE="$0: [-xAD] [-M dnsrps.conf]" while getopts "xADM:S:" c; do case $c in x) set -x; DEBUG=-x;; A) AS_NS=yes;; D) TEST_DNSRPS=yes;; M) MCONF="$OPTARG";; - S) SCONF="$OPTARG";; *) echo "$USAGE" 1>&2; exit 1;; esac done @@ -46,11 +44,9 @@ fi # erase any existing conf files cat /dev/null > $MCONF -cat /dev/null > $SCONF add_conf () { echo "$*" >>$MCONF - echo "$*" >>$SCONF } if ! $FEATURETEST --enable-dnsrps; then @@ -82,86 +78,6 @@ else exit 0 fi -CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf - dnsrpzd-sock ../dnsrpzd.sock - dnsrpzd-rpzf ../dnsrpzd.rpzf - dnsrpzd-args '-dddd -L stdout' - log-level 3" - -PRIMARY="$CMN" -if [ -n "$AS_NS" ]; then - PRIMARY="$PRIMARY - qname-as-ns yes - ip-as-ns yes" -fi - -# write dnsrps settings for primary resolver -cat <>$MCONF -$PRIMARY }; -EOF - -# write dnsrps settings for resolvers that should not start dnsrpzd -cat <>$SCONF -$CMN - dnsrpzd '' }; # do not start dnsrpzd -EOF - - -# DNSRPS is available. -# The test should fail if the license is bad. -add_conf "dnsrps-enable yes;" - -# Use alt-dnsrpzd-license.conf if it exists -CUR_L=dnsrpzd-license-cur.conf -ALT_L=alt-dnsrpzd-license.conf -# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist -[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf -if [ -s $ALT_L ]; then - SRC_L=$ALT_L - USE_ALT= -else - SRC_L=../rpz/dnsrpzd-license.conf - USE_ALT="## consider installing alt-dnsrpzd-license.conf" -fi -cp $SRC_L $CUR_L - -# parse $CUR_L for the license zone name, primary IP addresses, and optional -# transfer-source IP addresses -eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\ - -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ - -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ - -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ - -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ - -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ - -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ - $CUR_L` -if [ -z "$NAME" ]; then - add_conf "## no DNSRPS tests; no license domain name in $SRC_L" - add_conf '#fail' - exit 0 -fi -if [ -z "$IPV4" ]; then - IPV4=license1.fastrpz.com - TS4= -fi -if [ -z "$IPV6" ]; then - IPV6=license1.fastrpz.com - TS6= -fi - -# This TSIG key is common and NOT a secret -KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1' - -# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems -if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ - | grep -i "^$NAME.*TXT" >/dev/null`; then - exit 0 -fi -if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ - | grep -i "^$NAME.*TXT" >/dev/null`; then - exit 0 -fi - -add_conf "## DNSRPS lacks a valid license via $SRC_L" -[ -z "$USE_ALT" ] || add_conf "$USE_ALT" -add_conf '#fail' +add_conf 'dnsrps-options { log-level 3 };' +add_conf 'dnsrps-enable yes;' +add_conf 'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";' diff --git a/bin/tests/system/rpz/.gitignore b/bin/tests/system/rpz/.gitignore index 0457088016..2a9dd67107 100644 --- a/bin/tests/system/rpz/.gitignore +++ b/bin/tests/system/rpz/.gitignore @@ -1,2 +1 @@ -alt-dnsrpzd-license.conf dnsrps diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh index 1a3127cffd..218df9336d 100644 --- a/bin/tests/system/rpz/clean.sh +++ b/bin/tests/system/rpz/clean.sh @@ -40,6 +40,7 @@ rm -f ns5/example.db ns5/bl.db ns5/fast-expire.db ns5/expire.conf rm -f ns8/manual-update-rpz.db rm -f */policy2.db rm -f */*.jnl +rm -f dnsrps.cache dnsrps.conf if [ ${PARTIAL:-unset} = unset ]; then rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp @@ -49,9 +50,7 @@ if [ ${PARTIAL:-unset} = unset ]; then rm -f ns*/named.lock rm -f ns*/named.conf rm -f ns*/*switch - rm -f dnsrps*.conf - rm -f dnsrpzd.conf - rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid + rm -f dnsrps.zones rm -f ns*/managed-keys.bind* rm -f tmp fi diff --git a/bin/tests/system/rpz/dnsrps.c b/bin/tests/system/rpz/dnsrps.c index 5a54ab9c9a..167433f1e1 100644 --- a/bin/tests/system/rpz/dnsrps.c +++ b/bin/tests/system/rpz/dnsrps.c @@ -13,11 +13,8 @@ /* * -a exit(0) if dnsrps is available or dlopen() msg if not - * -p print the path to dnsrpzd configured in dnsrps so that - * dnsrpzd can be run by a setup.sh script. - * Exit(1) if dnsrps is not available * -n domain print the serial number of a domain to check if a new - * version of a policy zone has been transferred to dnsrpzd. + * version of a policy zone is ready. * Exit(1) if dnsrps is not available * -w sec.ond wait for seconds, because `sleep 0.1` is not portable */ @@ -37,8 +34,6 @@ #ifdef USE_DNSRPS #include - -librpz_t *librpz; #else /* ifdef USE_DNSRPS */ typedef struct { char c[120]; @@ -48,7 +43,7 @@ typedef struct { static bool link_dnsrps(librpz_emsg_t *emsg); -#define USAGE "usage: [-ap] [-n domain] [-w sec.onds]\n" +#define USAGE "usage: [-a] [-n domain] [-w sec.onds]\n" int main(int argc, char **argv) { @@ -64,7 +59,7 @@ main(int argc, char **argv) { char *p; int i; - while ((i = getopt(argc, argv, "apn:w:")) != -1) { + while ((i = getopt(argc, argv, "an:w:")) != -1) { switch (i) { case 'a': if (!link_dnsrps(&emsg)) { @@ -73,18 +68,6 @@ main(int argc, char **argv) { } return (0); - case 'p': - if (!link_dnsrps(&emsg)) { - fprintf(stderr, "## %s\n", emsg.c); - return (1); - } -#ifdef USE_DNSRPS - printf("%s\n", librpz->dnsrpzd_path); -#else /* ifdef USE_DNSRPS */ - UNREACHABLE(); -#endif /* ifdef USE_DNSRPS */ - return (0); - case 'n': if (!link_dnsrps(&emsg)) { fprintf(stderr, "## %s\n", emsg.c); @@ -92,8 +75,7 @@ main(int argc, char **argv) { } #ifdef USE_DNSRPS /* - * Get the serial number of a policy zone from - * a running dnsrpzd daemon. + * Get the serial number of a policy zone. */ clist = librpz->clist_create(&emsg, NULL, NULL, NULL, NULL, NULL); @@ -101,11 +83,7 @@ main(int argc, char **argv) { fprintf(stderr, "## %s: %s\n", optarg, emsg.c); return (1); } - snprintf(cstr, sizeof(cstr), - "zone %s; dnsrpzd \"\";" - " dnsrpzd-sock dnsrpzd.sock;" - " dnsrpzd-rpzf dnsrpzd.rpzf", - optarg); + snprintf(cstr, sizeof(cstr), "zone %s;", optarg); client = librpz->client_create(&emsg, clist, cstr, true); if (client == NULL) { @@ -162,7 +140,7 @@ main(int argc, char **argv) { static bool link_dnsrps(librpz_emsg_t *emsg) { #ifdef USE_DNSRPS - librpz = librpz_lib_open(emsg, NULL, DNSRPS_LIBRPZ_PATH); + librpz = librpz_lib_open(emsg, NULL, LIBRPZ_LIB_OPEN); if (librpz == NULL) { return (false); } diff --git a/bin/tests/system/rpz/dnsrpzd.conf.in b/bin/tests/system/rpz/dnsrps.zones.in similarity index 98% rename from bin/tests/system/rpz/dnsrpzd.conf.in rename to bin/tests/system/rpz/dnsrps.zones.in index 736556286d..90789b347c 100644 --- a/bin/tests/system/rpz/dnsrpzd.conf.in +++ b/bin/tests/system/rpz/dnsrps.zones.in @@ -15,8 +15,6 @@ pid-file ../dnsrpzd.pid -include ../dnsrpzd-license-cur.conf - # configure NOTIFY and zone transfers port @EXTRAPORT1@; listen-on port @EXTRAPORT1@ { 10.53.0.3; }; diff --git a/bin/tests/system/rpz/dnsrpzd-license.conf b/bin/tests/system/rpz/dnsrpzd-license.conf deleted file mode 100644 index 739b39d19d..0000000000 --- a/bin/tests/system/rpz/dnsrpzd-license.conf +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -zone isc.license.fastrpz.com { - primaries port 53 { - KEY farsight_fastrpz_license 104.244.14.176; - KEY farsight_fastrpz_license 2620:11c:f008::176; - }; -}; - -key farsight_fastrpz_license { - algorithm hmac-sha256; secret "f405d02b4c8af54855fcebc1"; -}; diff --git a/bin/tests/system/rpz/ns5/named.conf.in b/bin/tests/system/rpz/ns5/named.conf.in index e1f8fb6056..58b591b70d 100644 --- a/bin/tests/system/rpz/ns5/named.conf.in +++ b/bin/tests/system/rpz/ns5/named.conf.in @@ -35,7 +35,7 @@ options { # turn rpz on or off include "rpz-switch"; - include "../dnsrps-secondary.conf"; + include "../dnsrps.conf"; }; key rndc_key { diff --git a/bin/tests/system/rpz/ns6/named.conf.in b/bin/tests/system/rpz/ns6/named.conf.in index c0ad5c4237..5c4b77437f 100644 --- a/bin/tests/system/rpz/ns6/named.conf.in +++ b/bin/tests/system/rpz/ns6/named.conf.in @@ -36,7 +36,7 @@ options { nsip-enable yes nsdname-enable yes; - include "../dnsrps-secondary.conf"; + include "../dnsrps.conf"; }; logging { category rpz { default_debug; }; }; @@ -58,7 +58,7 @@ zone "policy1" { file "empty.db"; also-notify { 10.53.0.3 port @EXTRAPORT1@; }; notify-delay 0; - allow-transfer { any; }; + allow-transfer { any; }; }; zone "bl.tld2s." { diff --git a/bin/tests/system/rpz/ns7/named.conf.in b/bin/tests/system/rpz/ns7/named.conf.in index 40c385c32d..3aed1a2bb1 100644 --- a/bin/tests/system/rpz/ns7/named.conf.in +++ b/bin/tests/system/rpz/ns7/named.conf.in @@ -32,7 +32,7 @@ options { nsdname-enable yes min-update-interval 0; - include "../dnsrps-secondary.conf"; + include "../dnsrps.conf"; }; logging { category rpz { default_debug; }; }; @@ -54,6 +54,6 @@ zone "policy2" { file "policy2.db"; also-notify { 10.53.0.3 port @EXTRAPORT1@; }; notify-delay 0; - allow-transfer { any; }; + allow-transfer { any; }; request-ixfr no; // force axfr on rndc reload }; diff --git a/bin/tests/system/rpz/ns9/named.conf.in b/bin/tests/system/rpz/ns9/named.conf.in index 70297bdeba..0d3fce7852 100644 --- a/bin/tests/system/rpz/ns9/named.conf.in +++ b/bin/tests/system/rpz/ns9/named.conf.in @@ -30,7 +30,7 @@ options { recursion yes; dnssec-validation yes; dns64-server "example.localdomain."; - dns64 64:ff9b::/96 { }; + dns64 64:ff9b::/96 { }; response-policy { zone "rpz"; } diff --git a/bin/tests/system/rpz/ns9/rpz.db b/bin/tests/system/rpz/ns9/rpz.db index dcbe5d6728..77679873c6 100644 --- a/bin/tests/system/rpz/ns9/rpz.db +++ b/bin/tests/system/rpz/ns9/rpz.db @@ -9,8 +9,9 @@ ; See the COPYRIGHT file distributed with this work for additional ; information regarding copyright ownership. -rpz. 28800 IN SOA rpz. hostmaster.rpz. 6 10800 3600 2419200 900 -rpz. 28800 IN NS . -a-only.example.rpz. 28800 IN CNAME *. -no-a-no-aaaa.example.rpz. 28800 IN CNAME *. -a-plus-aaaa.example.rpz. 28800 IN CNAME *. +$TTL 28800 +rpz. IN SOA rpz. hostmaster.rpz. 6 10800 3600 2419200 900 +rpz. IN NS . +a-only.example CNAME *. +no-a-no-aaaa.example CNAME *. +a-plus-aaaa.example CNAME *. diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 75e4957ea4..cc102c2f59 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -55,13 +55,13 @@ copy_setports ns8/named.conf.in ns8/named.conf copy_setports ns9/named.conf.in ns9/named.conf copy_setports ns10/named.conf.in ns10/named.conf -copy_setports dnsrpzd.conf.in dnsrpzd.conf +copy_setports dnsrps.zones.in dnsrps.zones # decide whether to test DNSRPS -# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf -# and differ from dnsrpz.conf which is used by dnsrpzd. -$SHELL ../ckdnsrps.sh -A $TEST_DNSRPS $DEBUG -test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS= +# Note that dnsrps.conf is included in named.conf +$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG +test -z "$(grep 'testing with DNSRPS' dnsrps.conf)" && TEST_DNSRPS= +touch dnsrps.cache # set up test policy zones. # bl is the main test zone @@ -169,11 +169,3 @@ cp ns2/bl.tld2.db.in ns2/bl.tld2.db cp ns5/empty.db.in ns5/empty.db cp ns5/empty.db.in ns5/policy2.db cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db - -# Run dnsrpzd to get the license and prime the static policy zones -if test -n "$TEST_DNSRPS"; then - DNSRPZD="$(../rpz/dnsrps -p)" - cd ns3 - "$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \ - -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 -fi diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 4e83a6b702..a18064d3d9 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -35,6 +35,7 @@ HAVE_CORE= status=0 t=0 +export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache DEBUG= SAVE_RESULTS= ARGS= @@ -67,7 +68,6 @@ DNSRPSCMD=./dnsrps RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" if test -x $DNSRPSCMD; then - # speed up the many delays for dnsrpzd by waiting only 0.1 seconds WAIT_CMD="$DNSRPSCMD -w 0.1" TEN_SECS=100 else @@ -129,10 +129,10 @@ get_sn_fast () { fi } -# check that dnsrpzd has loaded its zones +# check that dnsrps provider has zones loaded # $1=domain # $2=DNS server IP address -FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf` +FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrps.zones` dnsrps_loaded() { test "$mode" = dnsrps || return n=0 @@ -182,7 +182,15 @@ ck_soa() { # (re)load the response policy zones with the rules in the file $TEST_FILE load_db () { if test -n "$TEST_FILE"; then - copy_setports $TEST_FILE tmp + copy_setports $TEST_FILE tmp + + for ZONE in bl0 bl1 bl2 bl3 bl4 bl5 bl6 bl7 bl8 bl9 bl10 bl11 bl12 bl13 bl14 bl15 bl16 bl17 bl18 bl19; do + produce_librpz_rules ns5 $ZONE bl + done + + produce_librpz_rules ns2 bl.tld2 bl.tld2 + cat tmp >> $DNSRPS_TEST_UPDATE_FILE + if $NSUPDATE -v tmp; then : $RNDCCMD $ns3 sync else @@ -190,7 +198,7 @@ load_db () { $RNDCCMD $ns3 sync exit 1 fi - rm -f tmp + rm -f tmp fi } @@ -213,11 +221,11 @@ restart () { fi rm -f ns$1/*.jnl if [ "$2" = "rebuild-bl-rpz" ]; then - if test -f ns$1/base.db; then + if test -f ns$1/base.db; then for NM in ns$1/bl*.db; do - cp -f ns$1/base.db $NM - done - fi + cp -f ns$1/base.db $NM + done + fi fi start_server --noclean --restart --port ${PORT} ns$1 load_db @@ -242,8 +250,8 @@ ckalive () { } resetstats () { - NSDIR=$1 - eval "${NSDIR}_CNT=''" + NSDIR=$1 + eval "${NSDIR}_CNT=''" } ckstats () { @@ -279,6 +287,16 @@ ckstatsrange () { eval "${NSDIR}_CNT=$NEW_CNT" } +add_librpz_rule() { + echo $1 >> $DNSRPS_TEST_UPDATE_FILE +} + +produce_librpz_rules() { + # echo "Producing rules for $1" + ZONEFILE=$1/$3.db + cat $ZONEFILE | egrep -v '^;' | egrep '\<(A|CNAME)\>' | awk -v zone=$2 '{ if (NF == 4) {print "static add "$1"."zone" "$2" "$3" "$4} else if (NF == 3) {print "static add "$1"."zone" 300 "$2" "$3}}' >> $DNSRPS_TEST_UPDATE_FILE +} + # $1=message # $2=optional test file name start_group () { @@ -299,9 +317,10 @@ start_group () { end_group () { if test -n "$TEST_FILE"; then # remove the previous set of test rules - copy_setports $TEST_FILE tmp + copy_setports $TEST_FILE tmp + add_librpz_rule "rollback" sed -e 's/[ ]add[ ]/ delete /' tmp | $NSUPDATE - rm -f tmp + rm -f tmp TEST_FILE= fi ckalive $ns3 "failed; ns3 server crashed and restarted" @@ -510,6 +529,7 @@ for mode in native dnsrps; do retry_quiet 10 make_proto_nodata start_group "QNAME rewrites" test1 + nochange . # 1 do not crash or rewrite root nxdomain a0-1.tld2 # 2 nodata a3-1.tld2 # 3 @@ -600,13 +620,18 @@ EOF # updating an response zone policy cp ns2/blv2.tld2.db.in ns2/bl.tld2.db rndc_reload ns2 $ns2 bl.tld2 + add_librpz_rule "update zone bl.tld2 1 inc" ck_soa 2 bl.tld2 $ns3 + add_librpz_rule "wipe" + produce_librpz_rules ns2 bl.tld2 bl.tld2 nochange a7-1.tld2 # 19 PASSTHRU # ensure that a clock tick has occurred so that named will do the reload sleep 1 cp ns2/blv3.tld2.db.in ns2/bl.tld2.db rndc_reload ns2 $ns2 bl.tld2 + add_librpz_rule "update zone bl.tld2 1 inc" ck_soa 3 bl.tld2 $ns3 + produce_librpz_rules ns2 bl.tld2 bl.tld2 nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450) end_group ckstats $ns3 test2 ns3 12 @@ -647,17 +672,10 @@ EOF nxdomain a3-1.static-stub # 14 nochange_ns10 a3-1.stub-nomatch # 15 nochange_ns10 a3-1.static-stub-nomatch # 16 - if [ "$mode" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns - fi nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && setret "seen: unrecognized NS rpz_rrset_find() failed: glue" end_group - if [ "$mode" = dnsrps ]; then - ckstats $ns3 test3 ns3 10 - else - ckstats $ns3 test3 ns3 9 - fi + ckstats $ns3 test3 ns3 9 # these tests assume "min-ns-dots 0" start_group "NSIP rewrites" test4 @@ -670,9 +688,6 @@ EOF nxdomain a4-1.static-stub # 6 nochange_ns10 a4-1.stub-nomatch # 7 nochange_ns10 a4-1.static-stub-nomatch # 8 - if [ "$mode" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns - fi nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && setret "seen: unrecognized NS rpz_rrset_find() failed: glue" end_group @@ -685,11 +700,7 @@ EOF a3-1.tld2. x IN TXT "NSIP walled garden" EOF end_group - if [ "$mode" = dnsrps ]; then - ckstats $ns3 test4 ns3 7 - else - ckstats $ns3 test4 ns3 6 - fi + ckstats $ns3 test4 ns3 6 # policies in ./test5 overridden by response-policy{} in ns3/named.conf # and in ns5/named.conf @@ -722,6 +733,7 @@ EOF ckstats $ns5 test5 ns5 4 # check that miscellaneous bugs are still absent + add_librpz_rule "wipe" start_group "crashes" test6 for Q in RRSIG SIG ANY 'ANY +dnssec'; do nocrash a3-1.tld2 -t$Q @@ -789,27 +801,6 @@ EOF echo_i "performance not checked; queryperf not available" fi - if [ "$mode" = dnsrps ]; then - echo_i "checking that dnsrpzd is automatically restarted" - OLD_PID=`cat dnsrpzd.pid` - kill "$OLD_PID" - n=0 - while true; do - NEW_PID=`cat dnsrpzd.pid 2>/dev/null` - if test -n "$NEW_PID" -a "0$OLD_PID" -ne "0$NEW_PID"; then - #echo "OLD_PID=$OLD_PID NEW_PID=$NEW_PID" - break; - fi - $DIG -p ${PORT} +short +norecurse a0-1.tld2 @$ns3 >/dev/null - n=`expr $n + 1` - if test "$n" -gt $TEN_SECS; then - setret "dnsrpzd did not restart" - break - fi - $WAIT_CMD - done - fi - # Ensure ns3 manages to transfer the fast-expire zone before shutdown. nextpartreset ns3/named.run wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run @@ -822,6 +813,7 @@ EOF # restart the main test RPZ server to see if that creates a core file if test -z "$HAVE_CORE"; then stop_server --use-rndc --port ${CONTROLPORT} ns3 + add_librpz_rule "restart" restart 3 "rebuild-bl-rpz" HAVE_CORE=`find ns* -name '*core*' -print` test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?" @@ -833,7 +825,7 @@ EOF if test -n "$EMSGS"; then setret "error messages in $runfile starting with:" grep -E 'invalid rpz|rpz.*failed' ns*/named.run | \ - sed -e '10,$d' -e 's/^//' | cat_i + sed -e '10,$d' -e 's/^//' | cat_i fi done @@ -918,9 +910,11 @@ EOF nsd $ns5 delete '*.example.com.policy1.' example.com.policy1. done + t=`expr $t + 1` echo_i "checking that going from an empty policy zone works (${t})" nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. + add_librpz_rule "update add *.x.servfail.policy2 300 CNAME ." sleep 1 rndc_reload ns7 $ns7 policy2 $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} @@ -977,6 +971,7 @@ EOF fi # RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 scenarios. + produce_librpz_rules ns9 rpz rpz for label in a-only no-a-no-aaaa a-plus-aaaa do for type in AAAA A diff --git a/bin/tests/system/rpzextra/ns1/named.conf.in b/bin/tests/system/rpzextra/ns1/named.conf.in index 202ffa7006..224064d64f 100644 --- a/bin/tests/system/rpzextra/ns1/named.conf.in +++ b/bin/tests/system/rpzextra/ns1/named.conf.in @@ -40,19 +40,19 @@ options { logging { channel rpz_passthru { - file "rpz_passthru.txt" versions 3 size 5m; - print-time yes; - print-category yes; - print-severity yes; - severity info; + file "rpz_passthru.txt" versions 3 size 5m; + print-time yes; + print-category yes; + print-severity yes; + severity info; }; channel rpz_log { - file "rpz.txt" versions 3 size 20m; - print-time yes; - print-category yes; - print-severity yes; - severity info; + file "rpz.txt" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; }; category rpz { rpz_log; default_debug; }; diff --git a/bin/tests/system/rpzrecurse/.gitignore b/bin/tests/system/rpzrecurse/.gitignore index 5d4371d852..b58ca75d82 100644 --- a/bin/tests/system/rpzrecurse/.gitignore +++ b/bin/tests/system/rpzrecurse/.gitignore @@ -5,7 +5,6 @@ /ns3/named2.conf /ns4/named.conf /ans5/ans.pid -/dnsrps-secondary.conf /dnsrps.conf /dnsrpzd.conf session.key diff --git a/bin/tests/system/rpzrecurse/clean.sh b/bin/tests/system/rpzrecurse/clean.sh index 45b7940256..d1d57abb6b 100644 --- a/bin/tests/system/rpzrecurse/clean.sh +++ b/bin/tests/system/rpzrecurse/clean.sh @@ -29,6 +29,7 @@ rm -f ns2/named.conf.header rm -f ns3/named.conf rm -f ns3/named.run.prev -rm -f dnsrps*.conf dnsrpzd* +rm -f dnsrps.cache +rm -f dnsrps*.conf rm -f ns*/session.key rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/rpzrecurse/ns2/named.conf.header.in b/bin/tests/system/rpzrecurse/ns2/named.conf.header.in index 2fb16788aa..90a17b7a37 100644 --- a/bin/tests/system/rpzrecurse/ns2/named.conf.header.in +++ b/bin/tests/system/rpzrecurse/ns2/named.conf.header.in @@ -27,7 +27,7 @@ options { querylog yes; # let ns3 start dnsrpzd - include "../dnsrps-secondary.conf"; + include "../dnsrps.conf"; }; key rndc_key { diff --git a/bin/tests/system/rpzrecurse/setup.sh b/bin/tests/system/rpzrecurse/setup.sh index e68784f46a..6ffe1d6cc4 100644 --- a/bin/tests/system/rpzrecurse/setup.sh +++ b/bin/tests/system/rpzrecurse/setup.sh @@ -46,6 +46,11 @@ copy_setports ns3/named1.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf +# decide whether to test DNSRPS +$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG +test -z "`grep 'dnsrps-enable yes' dnsrps.conf`" && TEST_DNSRPS= +touch dnsrps.cache + # setup policy zones for a 64-zone test i=1 while test $i -le 64 @@ -63,25 +68,3 @@ do done i=`expr $i + 1` done - -# decide whether to test DNSRPS -$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG -test -z "`grep 'dnsrps-enable yes' dnsrps.conf`" && TEST_DNSRPS= - -CWD=`pwd` -cat <dnsrpzd.conf -PID-FILE $CWD/dnsrpzd.pid; - -include $CWD/dnsrpzd-license-cur.conf - -zone "policy" { type primary; file "`pwd`/ns3/policy.db"; }; -EOF -sed -n -e 's/^ *//' -e "/zone.*.*primary/s@file \"@&$CWD/ns2/@p" ns2/*.conf \ - >>dnsrpzd.conf - -# Run dnsrpzd to get the license and prime the static policy zones -if test -n "$TEST_DNSRPS"; then - DNSRPZD="`../rpz/dnsrps -p`" - "$DNSRPZD" -D./dnsrpzd.rpzf -S./dnsrpzd.sock -C./dnsrpzd.conf \ - -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 -fi diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh index 23ed82e6e9..aea2701954 100644 --- a/bin/tests/system/rpzrecurse/tests.sh +++ b/bin/tests/system/rpzrecurse/tests.sh @@ -20,6 +20,7 @@ status=0 t=0 +export DNSRPS_TEST_UPDATE_FILE=$(pwd)/dnsrps.cache DEBUG= ARGS= @@ -46,6 +47,7 @@ RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" run_server() { TESTNAME=$1 + start_server_rules $1 $2 echo_i "stopping resolver" stop_server --use-rndc --port ${CONTROLPORT} ns2 @@ -57,6 +59,22 @@ run_server() { sleep 3 } +start_server_rules() { + FCONF=ns2/named.$1.conf + + cat /dev/null > $DNSRPS_TEST_UPDATE_FILE + cat $FCONF | grep 'zone ' | grep ' primary' | while read LINE; do + ZONE=`echo $LINE | sed 's/.*zone "//g' | awk -F '"' '{print $1}'`; + DBFILE=`echo $LINE | sed 's/.*file "//g' | awk -F '"' '{print $1}'`; + cat ns2/$DBFILE | egrep -v '^;' | egrep '\<(A|CNAME)\>' | awk -v zone=$ZONE '{ if (NF == 4) {print "static add "$1"."zone" "$2" "$3" "$4} else if (NF == 3) {print "static add "$1"."zone" 300 "$2" "$3}}' >> $DNSRPS_TEST_UPDATE_FILE + done +} + +produce_librpz_rules() { + ZONEFILE=$1/$3.db + cat $ZONEFILE | egrep -v '^;' | egrep '\<(A|CNAME)\>' | awk -v zone=$2 '{ if (NF == 4) {print "static add "$1"."zone" "$2" "$3" "$4} else if (NF == 3) {print "static add "$1"."zone" 300 "$2" "$3}}' >> $DNSRPS_TEST_UPDATE_FILE +} + run_query() { TESTNAME=$1 LINE=$2 @@ -74,7 +92,7 @@ expect_norecurse() { LINE=$2 NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1` - t=`expr $t + 1` + t=$((t+1)) echo_i "testing $NAME doesn't recurse (${t})" add_test_marker 10.53.0.2 run_query $TESTNAME $LINE || { @@ -90,7 +108,7 @@ expect_recurse() { LINE=$2 NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1` - t=`expr $t + 1` + t=$((t+1)) echo_i "testing $NAME recurses (${t})" add_test_marker 10.53.0.2 run_query $TESTNAME $LINE && { @@ -144,7 +162,7 @@ for mode in native dnsrps; do # show whether and why DNSRPS is enabled or disabled sed -n 's/^## //p' dnsrps.conf | cat_i - t=`expr $t + 1` + t=$((t+1)) echo_i "testing that l1.l0 exists without RPZ (${t})" add_test_marker 10.53.0.2 $DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t} @@ -153,7 +171,7 @@ for mode in native dnsrps; do status=1 } - t=`expr $t + 1` + t=$((t+1)) echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})" add_test_marker 10.53.0.2 $DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t} @@ -211,7 +229,7 @@ for mode in native dnsrps; do for n in $testlist; do run_server 4$n ni=$1 - t=`expr $t + 1` + t=$((t+1)) echo_i "testing that ${ni} of 33 queries skip recursion (${t})" add_test_marker 10.53.0.2 c=0 @@ -221,7 +239,7 @@ for mode in native dnsrps; do run_query 4$n $i c=`expr $c + $?` done - skipped=`expr 33 - $c` + skipped=$((33-c)) if [ $skipped != $ni ]; then echo_i "test $t failed (actual=$skipped, expected=$ni)" status=1 @@ -242,7 +260,7 @@ for mode in native dnsrps; do echo_i "check recursive behavior consistency during policy update races" run_server 6a sleep 1 - t=`expr $t + 1` + t=$((t+1)) echo_i "running dig to cache CNAME record (${t})" add_test_marker 10.53.0.1 10.53.0.2 $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t} @@ -256,7 +274,7 @@ for mode in native dnsrps; do $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i test -f dnsrpzd.pid && kill -USR1 `cat dnsrpzd.pid` sleep 1 - t=`expr $t + 1` + t=$((t+1)) echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" add_test_marker 10.53.0.2 $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} & @@ -285,7 +303,7 @@ for mode in native dnsrps; do cp ns2/saved.policy.local ns2/db.6a.00.policy.local run_server 6a sleep 1 - t=`expr $t + 1` + t=$((t+1)) echo_i "running dig to cache CNAME record (${t})" add_test_marker 10.53.0.1 10.53.0.2 $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t} @@ -298,7 +316,7 @@ for mode in native dnsrps; do $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i test -f dnsrpzd.pid && kill -USR1 `cat dnsrpzd.pid` sleep 1 - t=`expr $t + 1` + t=$((t+1)) echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" add_test_marker 10.53.0.2 $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} & @@ -323,7 +341,7 @@ for mode in native dnsrps; do } # Check maximum number of RPZ zones (64) - t=`expr $t + 1` + t=$((t+1)) echo_i "testing maximum number of RPZ zones (${t})" add_test_marker 10.53.0.2 run_server max @@ -335,11 +353,11 @@ for mode in native dnsrps; do echo_i "test $t failed: didn't get expected answer from policy zone $i" status=1 } - i=`expr $i + 1` + i=$((i+1)) done # Check CLIENT-IP behavior - t=`expr $t + 1` + t=$((t+1)) echo_i "testing CLIENT-IP behavior (${t})" add_test_marker 10.53.0.2 run_server clientip @@ -354,7 +372,7 @@ for mode in native dnsrps; do } # Check CLIENT-IP behavior #2 - t=`expr $t + 1` + t=$((t+1)) echo_i "testing CLIENT-IP behavior #2 (${t})" add_test_marker 10.53.0.2 run_server clientip2 @@ -384,7 +402,7 @@ for mode in native dnsrps; do } # Check RPZ log clause - t=`expr $t + 1` + t=$((t+1)) echo_i "testing RPZ log clause (${t})" add_test_marker 10.53.0.2 run_server log @@ -407,7 +425,7 @@ for mode in native dnsrps; do # Check wildcard behavior - t=`expr $t + 1` + t=$((t+1)) echo_i "testing wildcard behavior with 1 RPZ zone (${t})" add_test_marker 10.53.0.2 run_server wildcard1 @@ -422,7 +440,7 @@ for mode in native dnsrps; do status=1 } - t=`expr $t + 1` + t=$((t+1)) echo_i "testing wildcard behavior with 2 RPZ zones (${t})" add_test_marker 10.53.0.2 run_server wildcard2 @@ -437,7 +455,7 @@ for mode in native dnsrps; do status=1 } - t=`expr $t + 1` + t=$((t+1)) echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})" add_test_marker 10.53.0.2 run_server wildcard3 @@ -452,7 +470,7 @@ for mode in native dnsrps; do status=1 } - t=`expr $t + 1` + t=$((t+1)) echo_i "testing wildcard passthru before explicit drop (${t})" add_test_marker 10.53.0.2 run_server wildcard4 @@ -469,7 +487,7 @@ for mode in native dnsrps; do if [ "$mode" = "native" ]; then # Check for invalid prefix length error - t=`expr $t + 1` + t=$((t+1)) echo_i "testing for invalid prefix length error (${t})" add_test_marker 10.53.0.2 run_server invalidprefixlength @@ -479,68 +497,72 @@ for mode in native dnsrps; do } fi - t=`expr $t + 1` - echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)" - add_test_marker 10.53.0.2 10.53.0.3 - echo_i "timing 'nsip-wait-recurse yes' (default)" - ret=0 - t1=`$PERL -e 'print time()."\n";'` - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t - t2=`$PERL -e 'print time()."\n";'` - p1=`expr $t2 - $t1` - echo_i "elapsed time $p1 seconds" + if [ "$mode" = "native" ]; then + t=$((t+1)) + echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)" + add_test_marker 10.53.0.2 10.53.0.3 + echo_i "timing 'nsip-wait-recurse yes' (default)" + produce_librpz_rules ns3 policy policy + ret=0 + t1=`$PERL -e 'print time()."\n";'` + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t + t2=`$PERL -e 'print time()."\n";'` + p1=$((t2-t1)) + echo_i "elapsed time $p1 seconds" - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush - copy_setports ns3/named2.conf.in ns3/named.conf - nextpart ns3/named.run > /dev/null - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null - wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + copy_setports ns3/named2.conf.in ns3/named.conf + nextpart ns3/named.run > /dev/null + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 - echo_i "timing 'nsip-wait-recurse no'" - t3=`$PERL -e 'print time()."\n";'` - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t - t4=`$PERL -e 'print time()."\n";'` - p2=`expr $t4 - $t3` - echo_i "elapsed time $p2 seconds" + echo_i "timing 'nsip-wait-recurse no'" + echo "update zone policy 0 no_nsip_wait_recurse" > $DNSRPS_TEST_UPDATE_FILE + t3=`$PERL -e 'print time()."\n";'` + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t + t4=`$PERL -e 'print time()."\n";'` + p2=$((t4-t3)) + echo_i "elapsed time $p2 seconds" - if test $p1 -le $p2; then ret=1; fi - if test $ret != 0; then echo_i "failed"; fi - status=`expr $status + $ret` + if test $p1 -le $p2; then ret=1; fi + if test $ret != 0; then echo_i "failed"; fi + status=$((status+ret)) - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush - # restore original named.conf - copy_setports ns3/named1.conf.in ns3/named.conf - nextpart ns3/named.run > /dev/null - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null - wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + # restore original named.conf + copy_setports ns3/named1.conf.in ns3/named.conf + nextpart ns3/named.run > /dev/null + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 - t=`expr $t + 1` - echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)" - add_test_marker 10.53.0.2 10.53.0.3 - echo_i "timing 'nsdname-wait-recurse yes' (default)" - ret=0 - t1=`$PERL -e 'print time()."\n";'` - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t - t2=`$PERL -e 'print time()."\n";'` - p1=`expr $t2 - $t1` - echo_i "elapsed time $p1 seconds" + t=$((t+1)) + echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)" + add_test_marker 10.53.0.2 10.53.0.3 + echo_i "timing 'nsdname-wait-recurse yes' (default)" + ret=0 + t1=`$PERL -e 'print time()."\n";'` + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t + t2=`$PERL -e 'print time()."\n";'` + p1=$((t2-t1)) + echo_i "elapsed time $p1 seconds" - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush - copy_setports ns3/named3.conf.in ns3/named.conf - nextpart ns3/named.run > /dev/null - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null - wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + copy_setports ns3/named3.conf.in ns3/named.conf + nextpart ns3/named.run > /dev/null + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 - echo_i "timing 'nsdname-wait-recurse no'" - t3=`$PERL -e 'print time()."\n";'` - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t - t4=`$PERL -e 'print time()."\n";'` - p2=`expr $t4 - $t3` - echo_i "elapsed time $p2 seconds" + echo_i "timing 'nsdname-wait-recurse no'" + t3=`$PERL -e 'print time()."\n";'` + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t + t4=`$PERL -e 'print time()."\n";'` + p2=$((t4-t3)) + echo_i "elapsed time $p2 seconds" - if test $p1 -le $p2; then ret=1; fi - if test $ret != 0; then echo_i "failed"; fi - status=`expr $status + $ret` + if test $p1 -le $p2; then ret=1; fi + if test $ret != 0; then echo_i "failed"; fi + status=$((status+ret)) + fi [ $status -ne 0 ] && pf=fail || pf=pass