summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/rpz/setup.sh
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
commit45d6379135504814ab723b57f0eb8be23393a51d (patch)
treed4f2ec4acca824a8446387a758b0ce4238a4dffa /bin/tests/system/rpz/setup.sh
parentInitial commit. (diff)
downloadbind9-45d6379135504814ab723b57f0eb8be23393a51d.tar.xz
bind9-45d6379135504814ab723b57f0eb8be23393a51d.zip
Adding upstream version 1:9.16.44.upstream/1%9.16.44upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/rpz/setup.sh')
-rw-r--r--bin/tests/system/rpz/setup.sh180
1 files changed, 180 insertions, 0 deletions
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
new file mode 100644
index 0000000..10ab738
--- /dev/null
+++ b/bin/tests/system/rpz/setup.sh
@@ -0,0 +1,180 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# touch dnsrps-off to not test with DNSRPS
+
+set -e
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+QPERF=$($SHELL qperf.sh)
+
+USAGE="$0: [-DNx]"
+DEBUG=
+while getopts "DNx" c; do
+ case $c in
+ x) set -x; DEBUG=-x ;;
+ D) TEST_DNSRPS="-D" ;;
+ N) PARTIAL=-P ;;
+ *) echo "$USAGE" 1>&2; exit 1 ;;
+ esac
+done
+shift $((OPTIND - 1))
+if test "$#" -ne 0; then
+ echo "$USAGE" 1>&2
+ exit 1
+fi
+
+if [ ${NOCLEAN:-unset} = unset ]; then
+ $SHELL clean.sh $PARTIAL $DEBUG
+fi
+
+for dir in ns*; do
+ touch $dir/named.run
+ nextpart $dir/named.run > /dev/null
+done
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
+
+copy_setports dnsrpzd.conf.in dnsrpzd.conf
+
+# decide whether to test DNSRPS
+# Note that dnsrps.conf and dnsrps-slave.conf are included in named.conf
+# and differ from dnsrpz.conf which is used by dnsrpzd.
+$SHELL ../ckdnsrps.sh -A $TEST_DNSRPS $DEBUG
+test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS=
+
+# set up test policy zones.
+# bl is the main test zone
+# bl-2 is used to check competing zones.
+# bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden,
+# drop,tcp-only} are used to check policy overrides in named.conf.
+# NO-OP is an obsolete synonym for PASSHTRU
+for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do
+ sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db
+done
+# bl zones are dynamically updated. Add one zone that is updated manually.
+cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
+cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db
+
+cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
+
+# a zone that expires quickly and then can't be refreshed
+cp ns5/fast-expire.db.in ns5/fast-expire.db
+cp ns5/expire.conf.in ns5/expire.conf
+
+# $1=directory
+# $2=domain name
+# $3=input zone file
+# $4=output file
+signzone () {
+ KEYNAME=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -K $1 $2)
+ cat $1/$3 $1/$KEYNAME.key > $1/tmp
+ $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
+ sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
+ DSFILENAME=dsset-${2}${TP}
+ rm $DSFILENAME $1/tmp
+}
+signzone ns2 tld2s base-tld2s.db tld2s.db
+
+# Performance and a few other checks.
+cat <<EOF >ns5/rpz-switch
+response-policy {
+ zone "bl0"; zone "bl1"; zone "bl2"; zone "bl3"; zone "bl4";
+ zone "bl5"; zone "bl6"; zone "bl7"; zone "bl8"; zone "bl9";
+ zone "bl10"; zone "bl11"; zone "bl12"; zone "bl13"; zone "bl14";
+ zone "bl15"; zone "bl16"; zone "bl17"; zone "bl18"; zone "bl19";
+ } recursive-only no
+ qname-wait-recurse no
+ nsip-enable yes
+ nsdname-enable yes
+ max-policy-ttl 90
+ break-dnssec yes
+ ;
+EOF
+
+cat <<EOF >ns5/example.db
+\$TTL 300
+@ SOA . hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
+ NS ns
+ NS ns1
+ns A 10.53.0.5
+ns1 A 10.53.0.5
+EOF
+
+cat <<EOF >ns5/bl.db
+\$TTL 300
+@ SOA . hostmaster.ns.blperf. ( 1 3600 1200 604800 60 )
+ NS ns.tld5.
+
+; for "qname-wait-recurse no" in #35 test1
+x.servfail A 35.35.35.35
+; for "recursive-only no" in #8 test5
+a3-5.tld2 CNAME .
+; for "break-dnssec" in #9 & #10 test5
+a3-5.tld2s CNAME .
+; for "max-policy-ttl 90" in #17 test5
+a3-17.tld2 500 A 17.17.17.17
+
+; dummy NSDNAME policy to trigger lookups
+ns1.x.rpz-nsdname CNAME .
+EOF
+
+if test -n "$QPERF"; then
+ # Do not build the full zones if we will not use them.
+ $PERL -e 'for ($val = 1; $val <= 65535; ++$val) {
+ printf("host-%05d\tA 192.168.%d.%d\n", $val, $val/256, $val%256);
+ }' >>ns5/example.db
+
+ echo >>ns5/bl.db
+ echo "; rewrite some names" >>ns5/bl.db
+ $PERL -e 'for ($val = 2; $val <= 65535; $val += 69) {
+ printf("host-%05d.example.tld5\tCNAME\t.\n", $val);
+ }' >>ns5/bl.db
+
+ echo >>ns5/bl.db
+ echo "; rewrite with some not entirely trivial patricia trees" >>ns5/bl.db
+ $PERL -e 'for ($val = 3; $val <= 65535; $val += 69) {
+ printf("32.%d.%d.168.192.rpz-ip \tCNAME\t.\n",
+ $val%256, $val/256);
+ }' >>ns5/bl.db
+fi
+
+# some psuedo-random queryperf requests
+$PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {
+ printf("host-%05d.example.tld5 A\n", $val);
+ $val = ($val * 9 + 32771) % 65536;
+ }' >ns5/requests
+
+cp ns2/bl.tld2.db.in ns2/bl.tld2.db
+cp ns5/empty.db.in ns5/empty.db
+cp ns5/empty.db.in ns5/policy2.db
+cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db
+
+# Run dnsrpzd to get the license and prime the static policy zones
+if test -n "$TEST_DNSRPS"; then
+ DNSRPZD="$(../rpz/dnsrps -p)"
+ cd ns3
+ "$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \
+ -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1
+fi