diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 18:37:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 18:37:14 +0000 |
commit | ea648e70a989cca190cd7403fe892fd2dcc290b4 (patch) | |
tree | e2b6b1c647da68b0d4d66082835e256eb30970e8 /bin/tests/system/sfcache | |
parent | Initial commit. (diff) | |
download | bind9-c5734f67907ddbaf55726422496f29e6cdc7d955.tar.xz bind9-c5734f67907ddbaf55726422496f29e6cdc7d955.zip |
Adding upstream version 1:9.11.5.P4+dfsg.upstream/1%9.11.5.P4+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/sfcache')
-rw-r--r-- | bin/tests/system/sfcache/README | 12 | ||||
-rw-r--r-- | bin/tests/system/sfcache/clean.sh | 19 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns1/named.conf.in | 33 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns1/root.db.in | 22 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns1/sign.sh | 34 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns2/example.db.in | 101 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns2/named.conf.in | 48 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns2/sign.sh | 24 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns5/named.conf.in | 43 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns5/trusted.conf.bad | 14 | ||||
-rw-r--r-- | bin/tests/system/sfcache/prereq.sh | 23 | ||||
-rw-r--r-- | bin/tests/system/sfcache/setup.sh | 26 | ||||
-rw-r--r-- | bin/tests/system/sfcache/tests.sh | 96 |
13 files changed, 495 insertions, 0 deletions
diff --git a/bin/tests/system/sfcache/README b/bin/tests/system/sfcache/README new file mode 100644 index 0000000..14c3b91 --- /dev/null +++ b/bin/tests/system/sfcache/README @@ -0,0 +1,12 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +The test setup for the SERVFAIL ncache tests has a secure root. + +ns1 is the root server. + +ns2 is an authoritative server for the various test domains. + +ns5 is a caching-only server, configured with the an incorrect trusted +key for the root. It is used for testing failure cases. diff --git a/bin/tests/system/sfcache/clean.sh b/bin/tests/system/sfcache/clean.sh new file mode 100644 index 0000000..f24d016 --- /dev/null +++ b/bin/tests/system/sfcache/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */K*.key */K*.private */*.signed */*.db */dsset-* +rm -f */managed.conf */trusted.conf +rm -f */named.memstats +rm -f */named.run +rm -f */named.conf +rm -f dig.* +rm -f sfcache.* +rm -f ns*/named.lock diff --git a/bin/tests/system/sfcache/ns1/named.conf.in b/bin/tests/system/sfcache/ns1/named.conf.in new file mode 100644 index 0000000..a43c02b --- /dev/null +++ b/bin/tests/system/sfcache/ns1/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +zone "." { + type master; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns1/root.db.in b/bin/tests/system/sfcache/ns1/root.db.in new file mode 100644 index 0000000..dab5cea --- /dev/null +++ b/bin/tests/system/sfcache/ns1/root.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/sfcache/ns1/sign.sh b/bin/tests/system/sfcache/ns1/sign.sh new file mode 100644 index 0000000..769978b --- /dev/null +++ b/bin/tests/system/sfcache/ns1/sign.sh @@ -0,0 +1,34 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +(cd ../ns2 && $SHELL sign.sh ) + +cp ../ns2/dsset-example$TP . + +keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` + +cat $infile $keyname.key > $zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +# Configure the resolving server with a trusted key. +keyfile_to_trusted_keys $keyname > trusted.conf +cp trusted.conf ../ns2/trusted.conf + +# ...or with a managed key. +keyfile_to_managed_keys $keyname > managed.conf diff --git a/bin/tests/system/sfcache/ns2/example.db.in b/bin/tests/system/sfcache/ns2/example.db.in new file mode 100644 index 0000000..594a549 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/example.db.in @@ -0,0 +1,101 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 diff --git a/bin/tests/system/sfcache/ns2/named.conf.in b/bin/tests/system/sfcache/ns2/named.conf.in new file mode 100644 index 0000000..693ee05 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/named.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db.signed"; + allow-update { any; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns2/sign.sh b/bin/tests/system/sfcache/ns2/sign.sh new file mode 100644 index 0000000..73e55e7 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/sign.sh @@ -0,0 +1,24 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example. +infile=example.db.in +zonefile=example.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null diff --git a/bin/tests/system/sfcache/ns5/named.conf.in b/bin/tests/system/sfcache/ns5/named.conf.in new file mode 100644 index 0000000..31c497c --- /dev/null +++ b/bin/tests/system/sfcache/ns5/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + dnssec-enable yes; + dnssec-validation yes; + servfail-ttl 30; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns5/trusted.conf.bad b/bin/tests/system/sfcache/ns5/trusted.conf.bad new file mode 100644 index 0000000..ed30460 --- /dev/null +++ b/bin/tests/system/sfcache/ns5/trusted.conf.bad @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trusted-keys { + "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk="; +}; diff --git a/bin/tests/system/sfcache/prereq.sh b/bin/tests/system/sfcache/prereq.sh new file mode 100644 index 0000000..338197b --- /dev/null +++ b/bin/tests/system/sfcache/prereq.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + +if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r $RANDFILE foo > /dev/null 2>&1 +then + rm -f Kfoo* +else + echo "I:This test requires that --with-openssl was used." >&2 + exit 255 +fi diff --git a/bin/tests/system/sfcache/setup.sh b/bin/tests/system/sfcache/setup.sh new file mode 100644 index 0000000..7e6d604 --- /dev/null +++ b/bin/tests/system/sfcache/setup.sh @@ -0,0 +1,26 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +cd ns1 && $SHELL sign.sh + +cd ../ns5 && cp -f trusted.conf.bad trusted.conf + diff --git a/bin/tests/system/sfcache/tests.sh b/bin/tests/system/sfcache/tests.sh new file mode 100644 index 0000000..6e45830 --- /dev/null +++ b/bin/tests/system/sfcache/tests.sh @@ -0,0 +1,96 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +echo_i "checking DNSSEC SERVFAIL is cached ($n)" +ret=0 +$DIG $DIGOPTS +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +$RNDCCMD 10.53.0.5 dumpdb -all 2>&1 | sed 's/^/I:ns5 /' +for i in 1 2 3 4 5 6 7 8 9 10; do + awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db > sfcache.$n + [ -s "sfcache.$n" ] && break + sleep 1 +done +grep "^; foo.example/A" sfcache.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking SERVFAIL is returned from cache ($n)" +ret=0 +$DIG $DIGOPTS +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that +cd bypasses cache check ($n)" +ret=0 +$DIG $DIGOPTS +dnssec +cd foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "disabling server to force non-dnssec SERVFAIL" +$RNDCCMD 10.53.0.2 stop 2>&1 | sed 's/^/I:ns2 /' + +awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db +echo_i "checking SERVFAIL is cached ($n)" +ret=0 +$DIG $DIGOPTS bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +$RNDCCMD 10.53.0.5 dumpdb -all 2>&1 | sed 's/^/I:ns5 /' +for i in 1 2 3 4 5 6 7 8 9 10; do + awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db > sfcache.$n + [ -s "sfcache.$n" ] && break + sleep 1 +done +grep "^; bar.example/A" sfcache.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking SERVFAIL is returned from cache ($n)" +ret=0 +$DIG $DIGOPTS bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking with +cd query ($n)" +ret=0 +$DIG $DIGOPTS +cd bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking with +dnssec query ($n)" +ret=0 +$DIG $DIGOPTS +cd bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |