diff options
Diffstat (limited to '')
-rw-r--r-- | bin/tests/system/sfcache/README | 19 | ||||
-rw-r--r-- | bin/tests/system/sfcache/clean.sh | 27 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns1/named.conf.in | 34 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns1/root.db.in | 26 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns1/sign.sh | 38 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns2/example.db.in | 103 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns2/named.conf.in | 49 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns2/sign.sh | 28 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns5/named.conf.in | 43 | ||||
-rw-r--r-- | bin/tests/system/sfcache/ns5/sign.sh | 21 | ||||
-rw-r--r-- | bin/tests/system/sfcache/setup.sh | 24 | ||||
-rw-r--r-- | bin/tests/system/sfcache/tests.sh | 108 |
12 files changed, 520 insertions, 0 deletions
diff --git a/bin/tests/system/sfcache/README b/bin/tests/system/sfcache/README new file mode 100644 index 0000000..91b2126 --- /dev/null +++ b/bin/tests/system/sfcache/README @@ -0,0 +1,19 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The test setup for the SERVFAIL ncache tests has a secure root. + +ns1 is the root server. + +ns2 is an authoritative server for the various test domains. + +ns5 is a caching-only server, configured with the an incorrect trusted +key for the root. It is used for testing failure cases. diff --git a/bin/tests/system/sfcache/clean.sh b/bin/tests/system/sfcache/clean.sh new file mode 100644 index 0000000..e8bd818 --- /dev/null +++ b/bin/tests/system/sfcache/clean.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f ./*/K*.key ./*/K*.private ./*/*.signed ./*/*.db ./*/dsset-* +rm -f ./*/managed.conf ./*/trusted.conf +rm -f ./*/named.memstats +rm -f ./*/named.conf +rm -f ./*/named.run ./*/named.run.prev +rm -f ./dig.* +rm -f ./rndc.* +rm -f ./sfcache.* +rm -f ./ns*/managed-keys.bind* +rm -f ./ns*/named.lock +rm -f ./ns5/named.run.part* +rm -f ./ns5/named_dump* diff --git a/bin/tests/system/sfcache/ns1/named.conf.in b/bin/tests/system/sfcache/ns1/named.conf.in new file mode 100644 index 0000000..4a9822d --- /dev/null +++ b/bin/tests/system/sfcache/ns1/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns1/root.db.in b/bin/tests/system/sfcache/ns1/root.db.in new file mode 100644 index 0000000..1deb998 --- /dev/null +++ b/bin/tests/system/sfcache/ns1/root.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example2. NS ns2.example2. +ns2.example2. A 10.53.0.2 diff --git a/bin/tests/system/sfcache/ns1/sign.sh b/bin/tests/system/sfcache/ns1/sign.sh new file mode 100644 index 0000000..d97b63d --- /dev/null +++ b/bin/tests/system/sfcache/ns1/sign.sh @@ -0,0 +1,38 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +zone=. +infile=root.db.in +zonefile=root.db + +(cd ../ns2 && $SHELL sign.sh ) + +cp "../ns2/dsset-example$TP" . + +keyname=$($KEYGEN -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone $zone) + +cat "$infile" "$keyname.key" > "$zonefile" + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$keyname" > trusted.conf +cp trusted.conf ../ns2/trusted.conf + +# ...or with an initializing key. +keyfile_to_initial_ds "$keyname" > managed.conf diff --git a/bin/tests/system/sfcache/ns2/example.db.in b/bin/tests/system/sfcache/ns2/example.db.in new file mode 100644 index 0000000..c035ee8 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/example.db.in @@ -0,0 +1,103 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 diff --git a/bin/tests/system/sfcache/ns2/named.conf.in b/bin/tests/system/sfcache/ns2/named.conf.in new file mode 100644 index 0000000..2ec6675 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/named.conf.in @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db.signed"; + allow-update { any; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns2/sign.sh b/bin/tests/system/sfcache/ns2/sign.sh new file mode 100644 index 0000000..bbdf086 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/sign.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +zone=example. +infile=example.db.in +zonefile=example.db + +keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" + +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null diff --git a/bin/tests/system/sfcache/ns5/named.conf.in b/bin/tests/system/sfcache/ns5/named.conf.in new file mode 100644 index 0000000..df3938b --- /dev/null +++ b/bin/tests/system/sfcache/ns5/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + servfail-ttl 30; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns5/sign.sh b/bin/tests/system/sfcache/ns5/sign.sh new file mode 100644 index 0000000..40d7095 --- /dev/null +++ b/bin/tests/system/sfcache/ns5/sign.sh @@ -0,0 +1,21 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") + +keyfile_to_static_ds "$keyname" > trusted.conf diff --git a/bin/tests/system/sfcache/setup.sh b/bin/tests/system/sfcache/setup.sh new file mode 100644 index 0000000..3e09fe9 --- /dev/null +++ b/bin/tests/system/sfcache/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +cd ns1 && $SHELL sign.sh && cd .. +cd ns5 && $SHELL sign.sh && cd .. diff --git a/bin/tests/system/sfcache/tests.sh b/bin/tests/system/sfcache/tests.sh new file mode 100644 index 0000000..4c47e08 --- /dev/null +++ b/bin/tests/system/sfcache/tests.sh @@ -0,0 +1,108 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +status=0 +n=0 + +rm -f dig.out.* + +dig_with_opts() { + "$DIG" +tcp +noadd +nosea +nostat +nocmd -p "$PORT" "$@" +} + +rndc_with_opts() { + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" +} + +echo_i "checking DNSSEC SERVFAIL is cached ($n)" +ret=0 +dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +rndc_dumpdb ns5 -all +awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n > sfcache.$n +grep "^; foo.example/A" sfcache.$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking SERVFAIL is returned from cache ($n)" +ret=0 +dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking that +cd bypasses cache check ($n)" +ret=0 +dig_with_opts +dnssec +cd foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null && ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "switching to non-dnssec SERVFAIL tests" +ret=0 +rndc_with_opts 10.53.0.5 flush 2>&1 | sed 's/^/I:ns5 /' +rndc_dumpdb ns5 -all +mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.1 +awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db.test$n.1 > sfcache.$n.1 +[ -s "sfcache.$n.1" ] && ret=1 +echo_i "checking SERVFAIL is cached ($n)" +dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +rndc_dumpdb ns5 -all +mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.2 +awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n.2 > sfcache.$n.2 +grep "^; bar.example2/A" sfcache.$n.2 > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking SERVFAIL is returned from cache ($n)" +ret=0 +nextpart ns5/named.run > /dev/null +dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +nextpart ns5/named.run > ns5/named.run.part$n +grep 'servfail cache hit bar.example2/A (CD=0)' ns5/named.run.part$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking cache is bypassed with +cd query ($n)" +ret=0 +dig_with_opts +cd bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +nextpart ns5/named.run > ns5/named.run.part$n +grep 'servfail cache hit' ns5/named.run.part$n > /dev/null && ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking cache is used for subsequent +cd query ($n)" +ret=0 +dig_with_opts +dnssec bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +nextpart ns5/named.run > ns5/named.run.part$n +grep 'servfail cache hit bar.example2/A (CD=1)' ns5/named.run.part$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |