diff options
Diffstat (limited to '')
-rw-r--r-- | bin/tests/system/rpzrecurse/tests.sh | 389 |
1 files changed, 389 insertions, 0 deletions
diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh new file mode 100644 index 0000000..172a806 --- /dev/null +++ b/bin/tests/system/rpzrecurse/tests.sh @@ -0,0 +1,389 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +t=0 + +# $1 = test name (such as 1a, 1b, etc. for which named.$1.conf exists) +run_server() { + TESTNAME=$1 + + echo_i "stopping resolver" + $PERL $SYSTEMTESTTOP/stop.pl . ns2 + + sleep 1 + + echo_i "starting resolver using named.$TESTNAME.conf" + cp -f ns2/named.$TESTNAME.conf ns2/named.conf + $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns2 +} + +run_query() { + TESTNAME=$1 + LINE=$2 + + NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1` + $DIG $DIGOPTS $NAME a @10.53.0.2 -p ${PORT} -b 127.0.0.1 > dig.out.${t} + grep "status: SERVFAIL" dig.out.${t} > /dev/null 2>&1 && return 1 + return 0 +} + +# $1 = test name (such as 1a, 1b, etc. for which $1.queries exists) +# $2 = line number in query file to test (the name to query is taken from this line) +expect_norecurse() { + TESTNAME=$1 + LINE=$2 + + NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1` + t=`expr $t + 1` + echo_i "testing $NAME doesn't recurse (${t})" + run_query $TESTNAME $LINE || { + echo_i "test ${t} failed" + status=1 + } +} + +# $1 = test name (such as 1a, 1b, etc. for which $1.queries exists) +# $2 = line number in query file to test (the name to query is taken from this line) +expect_recurse() { + TESTNAME=$1 + LINE=$2 + + NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1` + t=`expr $t + 1` + echo_i "testing $NAME recurses (${t})" + run_query $TESTNAME $LINE && { + echo_i "test ${t} failed" + status=1 + } +} + +t=`expr $t + 1` +echo_i "testing that l1.l0 exists without RPZ (${t})" +$DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t} +grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 +} + +t=`expr $t + 1` +echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})" +$DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t} +grep "status: SERVFAIL" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 +} + +# Group 1 +run_server 1a +expect_norecurse 1a 1 +run_server 1b +expect_norecurse 1b 1 +expect_recurse 1b 2 +run_server 1c +expect_norecurse 1c 1 + +# Group 2 +run_server 2a +for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 +do + expect_norecurse 2a $n +done +expect_recurse 2a 33 + +# Group 3 +run_server 3a +expect_recurse 3a 1 +run_server 3b +expect_recurse 3b 1 +run_server 3c +expect_recurse 3c 1 +run_server 3d +expect_norecurse 3d 1 +expect_recurse 3d 2 +run_server 3e +expect_norecurse 3e 1 +expect_recurse 3e 2 +run_server 3f +expect_norecurse 3f 1 +expect_recurse 3f 2 + +# Group 4 +testlist="aa ap bf" +values="1 16 32" +# Uncomment the following to test every skip value instead of +# only a sample of values +# +#testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \ +# aq ar as at au av aw ax ay az ba bb bc bd be bf" +#values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \ +# 21 22 23 24 25 26 27 28 29 30 31 32" +set -- $values +for n in $testlist; do + run_server 4$n + ni=$1 + t=`expr $t + 1` + echo_i "testing that ${ni} of 33 queries skip recursion (${t})" + c=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \ + 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 + do + run_query 4$n $i + c=`expr $c + $?` + done + skipped=`expr 33 - $c` + if [ $skipped != $ni ]; then + echo_i "test $t failed (actual=$skipped, expected=$ni)" + status=1 + fi + shift +done + +# Group 5 +run_server 5a +expect_norecurse 5a 1 +expect_norecurse 5a 2 +expect_recurse 5a 3 +expect_recurse 5a 4 +expect_recurse 5a 5 +expect_recurse 5a 6 + +# Group 6 +echo_i "check recursive behavior consistency during policy update races" +run_server 6a +sleep 1 +t=`expr $t + 1` +echo_i "running dig to cache CNAME record (${t})" +$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t} +sleep 1 +echo_i "suspending authority server" +if [ "$CYGWIN" ]; then + WINPID=`cat ns1/named.pid` + PID=`ps | sed 's/^..//' | awk '$4 == '$WINPID | awk '{print $1}'` +else + PID=`cat ns1/named.pid` +fi +kill -TSTP $PID +echo_i "adding an NSDNAME policy" +cp ns2/db.6a.00.policy.local ns2/saved.policy.local +cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/I:ns2 /' +sleep 1 +t=`expr $t + 1` +echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" +$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A > dig.out.${t} & +sleep 1 +echo_i "removing the NSDNAME policy" +cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/I:ns2 /' +sleep 1 +echo_i "resuming authority server" +if [ "$CYGWIN" ]; then + WINPID=`cat ns1/named.pid` + PID=`ps | sed 's/^..//' | awk '$4 == '$WINPID | awk '{print $1}'` +else + PID=`cat ns1/named.pid` +fi +kill -CONT $PID +for n in 1 2 3 4 5 6 7 8 9; do + sleep 1 + [ -s dig.out.${t} ] || continue + grep "status: .*," dig.out.${t} > /dev/null 2>&1 && break +done +grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 +} + +echo_i "check recursive behavior consistency during policy removal races" +cp ns2/saved.policy.local ns2/db.6a.00.policy.local +run_server 6a +sleep 1 +t=`expr $t + 1` +echo_i "running dig to cache CNAME record (${t})" +$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t} +sleep 1 +echo_i "suspending authority server" +if [ "$CYGWIN" ]; then + WINPID=`cat ns1/named.pid` + PID=`ps | sed 's/^..//' | awk '$4 == '$WINPID | awk '{print $1}'` +else + PID=`cat ns1/named.pid` +fi +kill -TSTP $PID +echo_i "adding an NSDNAME policy" +cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/I:ns2 /' +sleep 1 +t=`expr $t + 1` +echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" +$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A > dig.out.${t} & +sleep 1 +echo_i "removing the policy zone" +cp ns2/named.default.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/I:ns2 /' +sleep 1 +echo_i "resuming authority server" +if [ "$CYGWIN" ]; then + WINPID=`cat ns1/named.pid` + PID=`ps | sed 's/^..//' | awk '$4 == '$WINPID | awk '{print $1}'` +else + PID=`cat ns1/named.pid` +fi +kill -CONT $PID +for n in 1 2 3 4 5 6 7 8 9; do + sleep 1 + [ -s dig.out.${t} ] || continue + grep "status: .*," dig.out.${t} > /dev/null 2>&1 && break +done +grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 +} + +# Check CLIENT-IP behavior +t=`expr $t + 1` +echo_i "testing CLIENT-IP behavior (${t})" +run_server clientip +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t} +grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 +} +grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test $t failed: didn't get expected answer" + status=1 +} + +# Check CLIENT-IP behavior #2 +t=`expr $t + 1` +echo_i "testing CLIENT-IP behavior #2 (${t})" +run_server clientip2 +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 > dig.out.${t}.1 +grep "status: SERVFAIL" dig.out.${t}.1 > /dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 +} +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 > dig.out.${t}.2 +grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 +} +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 > dig.out.${t}.3 +grep "status: NOERROR" dig.out.${t}.3 > /dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 +} +grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 > /dev/null 2>&1 || { + echo_i "test $t failed: didn't get expected answer" + status=1 +} +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t}.4 +grep "status: SERVFAIL" dig.out.${t}.4 > /dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 +} + +# Check RPZ log clause +t=`expr $t + 1` +echo_i "testing RPZ log clause (${t})" +run_server log +cur=`awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run` +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t} +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >> dig.out.${t} +$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >> dig.out.${t} +sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0 via 32.4.0.53.10.rpz-client-ip.log1" > /dev/null && { + echo_i " failed: unexpected rewrite message for policy zone log1 was logged" + status=1 +} +sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0 via 32.3.0.53.10.rpz-client-ip.log2" > /dev/null || { + echo_i " failed: expected rewrite message for policy zone log2 was not logged" + status=1 +} +sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0 via 32.2.0.53.10.rpz-client-ip.log3" > /dev/null || { + echo_i " failed: expected rewrite message for policy zone log3 was not logged" + status=1 +} + +# Check wildcard behavior + +t=`expr $t + 1` +echo_i "testing wildcard behavior with 1 RPZ zone (${t})" +run_server wildcard1 +$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 +grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + echo_i "test ${t} failed" + status=1 +} +$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 +grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || { + echo_i "test ${t} failed" + status=1 +} + +t=`expr $t + 1` +echo_i "testing wildcard behavior with 2 RPZ zones (${t})" +run_server wildcard2 +$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 +grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + echo_i "test ${t} failed" + status=1 +} +$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 +grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || { + echo_i "test ${t} failed" + status=1 +} + +t=`expr $t + 1` +echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})" +run_server wildcard3 +$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 +grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + echo_i "test ${t} failed" + status=1 +} +$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 +grep "status: NOERROR" dig.out.${t}.2 > /dev/null || { + echo_i "test ${t} failed" + status=1 +} + +t=`expr $t + 1` +echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)" +echo_i "timing 'nsip-wait-recurse yes' (default)" +ret=0 +t1=`$PERL -e 'print time()."\n";'` +$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t +t2=`$PERL -e 'print time()."\n";'` +p1=`expr $t2 - $t1` +echo_i "elasped time $p1 seconds" + +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush +cp -f ns3/named2.conf ns3/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + +echo_i "timing 'nsip-wait-recurse no'" +t3=`$PERL -e 'print time()."\n";'` +$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t +t4=`$PERL -e 'print time()."\n";'` +p2=`expr $t4 - $t3` +echo_i "elasped time $p2 seconds" + +if test $p1 -le $p2; then ret=1; fi +if test $ret != 0; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |