summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/wildcard
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--bin/tests/system/wildcard/clean.sh28
-rw-r--r--bin/tests/system/wildcard/ns1/allwild.db.in15
-rw-r--r--bin/tests/system/wildcard/ns1/dlv.db.in14
-rw-r--r--bin/tests/system/wildcard/ns1/example.db.in23
-rw-r--r--bin/tests/system/wildcard/ns1/named.conf.in43
-rw-r--r--bin/tests/system/wildcard/ns1/nsec.db.in17
-rw-r--r--bin/tests/system/wildcard/ns1/nsec3.db.in17
-rw-r--r--bin/tests/system/wildcard/ns1/private.nsec.db.in16
-rw-r--r--bin/tests/system/wildcard/ns1/private.nsec3.db.in17
-rw-r--r--bin/tests/system/wildcard/ns1/root.db.in17
-rwxr-xr-xbin/tests/system/wildcard/ns1/sign.sh96
-rw-r--r--bin/tests/system/wildcard/ns2/named.conf.in30
-rw-r--r--bin/tests/system/wildcard/ns3/named.conf.in32
-rw-r--r--bin/tests/system/wildcard/ns4/named.conf.in31
-rw-r--r--bin/tests/system/wildcard/ns5/named.conf.in32
-rw-r--r--bin/tests/system/wildcard/setup.sh23
-rw-r--r--bin/tests/system/wildcard/tests.sh272
-rwxr-xr-xbin/tests/system/wildcard/tests_wildcard.py112
18 files changed, 835 insertions, 0 deletions
diff --git a/bin/tests/system/wildcard/clean.sh b/bin/tests/system/wildcard/clean.sh
new file mode 100644
index 0000000..c690ade
--- /dev/null
+++ b/bin/tests/system/wildcard/clean.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/named.run
+rm -f ns*/named.conf
+rm -f ns1/K*
+rm -f ns1/*.db
+rm -f ns1/*.signed
+rm -f ns1/dsset-*
+rm -f ns1/keyset-*
+rm -f ns1/trusted.conf
+rm -f ns1/private.nsec.conf
+rm -f ns1/private.nsec3.conf
+rm -f ns1/signer.err
+rm -f */named.memstats
+rm -f dig.out.ns*.test*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/wildcard/ns1/allwild.db.in b/bin/tests/system/wildcard/ns1/allwild.db.in
new file mode 100644
index 0000000..71575c3
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/allwild.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN allwild.test.
+allwild.test. 3600 IN SOA . . 0 0 0 0 0
+allwild.test. 3600 NS ns.example.test.
+*.allwild.test. 3600 A 192.0.2.1
diff --git a/bin/tests/system/wildcard/ns1/dlv.db.in b/bin/tests/system/wildcard/ns1/dlv.db.in
new file mode 100644
index 0000000..6156de6
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/dlv.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@ NS a.root-servers.nil.
diff --git a/bin/tests/system/wildcard/ns1/example.db.in b/bin/tests/system/wildcard/ns1/example.db.in
new file mode 100644
index 0000000..f23a2cb
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/example.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN example.
+example. 3600 IN SOA . . 0 0 0 0 0
+example. 3600 NS ns.example.com.
+example. 3600 NS ns.example.net.
+*.example. 3600 TXT "this is a wildcard"
+*.example. 3600 MX 10 host1.example.
+sub.*.example. 3600 TXT "this is not a wildcard"
+host1.example. 3600 A 192.0.2.1
+_ssh._tcp.host1.example. 3600 SRV 0 0 22 host1.example.
+_ssh._tcp.host2.example. 3600 SRV 0 0 22 host2.example.
+subdel.example. 3600 NS ns.example.com.
+subdel.example. 3600 NS ns.example.net.
diff --git a/bin/tests/system/wildcard/ns1/named.conf.in b/bin/tests/system/wildcard/ns1/named.conf.in
new file mode 100644
index 0000000..ac02abf
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/named.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ dnssec-validation no;
+ notify yes;
+};
+
+zone "." { type primary; file "root.db.signed"; };
+
+/*
+ * RFC 4592 example zone.
+ */
+zone "allwild.test" { type primary; file "allwild.db"; };
+zone "example" { type primary; file "example.db"; };
+zone "nsec" { type primary; file "nsec.db.signed"; };
+zone "private.nsec" { type primary; file "private.nsec.db.signed"; };
+
+/*
+ * The contents of nsec3 and private.nsec3 are specially chosen to
+ * have separate NSEC3 records for the "no qname proof" and the
+ * "closest encloser proof".
+ */
+zone "nsec3" { type primary; file "nsec3.db.signed"; };
+zone "private.nsec3" { type primary; file "private.nsec3.db.signed"; };
diff --git a/bin/tests/system/wildcard/ns1/nsec.db.in b/bin/tests/system/wildcard/ns1/nsec.db.in
new file mode 100644
index 0000000..8869ab9
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/nsec.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@ NS a.root-servers.nil.
+private NS a.root-servers.nil.
+*.wild CNAME a.
+a.wild A 1.2.3.5
diff --git a/bin/tests/system/wildcard/ns1/nsec3.db.in b/bin/tests/system/wildcard/ns1/nsec3.db.in
new file mode 100644
index 0000000..8869ab9
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/nsec3.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@ NS a.root-servers.nil.
+private NS a.root-servers.nil.
+*.wild CNAME a.
+a.wild A 1.2.3.5
diff --git a/bin/tests/system/wildcard/ns1/private.nsec.db.in b/bin/tests/system/wildcard/ns1/private.nsec.db.in
new file mode 100644
index 0000000..b7cc222
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/private.nsec.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@ NS a.root-servers.nil.
+*.wild CNAME a.
+a.wild A 1.2.3.5
diff --git a/bin/tests/system/wildcard/ns1/private.nsec3.db.in b/bin/tests/system/wildcard/ns1/private.nsec3.db.in
new file mode 100644
index 0000000..566b3f8
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/private.nsec3.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@ NS a.root-servers.nil.
+b A 1.2.3.4
+*.wild CNAME a.
+a.wild A 1.2.3.5
diff --git a/bin/tests/system/wildcard/ns1/root.db.in b/bin/tests/system/wildcard/ns1/root.db.in
new file mode 100644
index 0000000..ffeb0a6
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/root.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@ SOA a.root-servers.nil hostmaster.root-servers.nil 1 1800 900 604800 86400
+@ NS a.root-servers.nil
+a.root-servers.nil A 10.53.0.1
+nsec NS a.root-servers.nil
+nsec3 NS a.root-servers.nil
diff --git a/bin/tests/system/wildcard/ns1/sign.sh b/bin/tests/system/wildcard/ns1/sign.sh
new file mode 100755
index 0000000..493b057
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/sign.sh
@@ -0,0 +1,96 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+SYSTESTDIR=wildcard
+
+dssets=
+
+# RFC 4592 example zone.
+cp allwild.db.in allwild.db
+cp example.db.in example.db
+
+zone=nsec
+infile=nsec.db.in
+zonefile=nsec.db
+outfile=nsec.db.signed
+dssets="$dssets dsset-${zone}${TP}"
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+zone=private.nsec
+infile=private.nsec.db.in
+zonefile=private.nsec.db
+outfile=private.nsec.db.signed
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+keyfile_to_static_ds $keyname2 > private.nsec.conf
+
+zone=nsec3
+infile=nsec3.db.in
+zonefile=nsec3.db
+outfile=nsec3.db.signed
+dssets="$dssets dsset-${zone}${TP}"
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+zone=private.nsec3
+infile=private.nsec3.db.in
+zonefile=private.nsec3.db
+outfile=private.nsec3.db.signed
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+keyfile_to_static_ds $keyname2 > private.nsec3.conf
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+outfile=root.db.signed
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key $dssets >$zonefile
+
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+keyfile_to_static_ds $keyname2 > trusted.conf
diff --git a/bin/tests/system/wildcard/ns2/named.conf.in b/bin/tests/system/wildcard/ns2/named.conf.in
new file mode 100644
index 0000000..a9a2a70
--- /dev/null
+++ b/bin/tests/system/wildcard/ns2/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ recursion yes;
+ dnssec-validation no;
+ notify yes;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
diff --git a/bin/tests/system/wildcard/ns3/named.conf.in b/bin/tests/system/wildcard/ns3/named.conf.in
new file mode 100644
index 0000000..0b958fa
--- /dev/null
+++ b/bin/tests/system/wildcard/ns3/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion yes;
+ dnssec-validation yes;
+ notify yes;
+};
+
+include "../ns1/trusted.conf";
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
diff --git a/bin/tests/system/wildcard/ns4/named.conf.in b/bin/tests/system/wildcard/ns4/named.conf.in
new file mode 100644
index 0000000..b125fa7
--- /dev/null
+++ b/bin/tests/system/wildcard/ns4/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+ recursion yes;
+ dnssec-validation yes;
+ notify yes;
+ forward only;
+ forwarders { 10.53.0.2; };
+};
+
+include "../ns1/trusted.conf";
+include "../ns1/private.nsec.conf";
+include "../ns1/private.nsec3.conf";
diff --git a/bin/tests/system/wildcard/ns5/named.conf.in b/bin/tests/system/wildcard/ns5/named.conf.in
new file mode 100644
index 0000000..1cd358d
--- /dev/null
+++ b/bin/tests/system/wildcard/ns5/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.5;
+ notify-source 10.53.0.5;
+ transfer-source 10.53.0.5;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.5; };
+ listen-on-v6 { none; };
+ recursion yes;
+ dnssec-validation yes;
+ notify yes;
+};
+
+include "../ns1/trusted.conf";
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
diff --git a/bin/tests/system/wildcard/setup.sh b/bin/tests/system/wildcard/setup.sh
new file mode 100644
index 0000000..3d20b48
--- /dev/null
+++ b/bin/tests/system/wildcard/setup.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+
+(cd ns1 && $SHELL -e sign.sh)
diff --git a/bin/tests/system/wildcard/tests.sh b/bin/tests/system/wildcard/tests.sh
new file mode 100644
index 0000000..f93150c
--- /dev/null
+++ b/bin/tests/system/wildcard/tests.sh
@@ -0,0 +1,272 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
+
+n=`expr $n + 1`
+echo_i "checking that NSEC wildcard non-existence proof is returned auth ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC wildcard non-existence proof is returned non-validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns2.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC wildcard non-existence proof is returned validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC wildcard non-existence proof is returned validating + CD ($n)"
+ret=0
+$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns5.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "checking that returned NSEC wildcard non-existence proof validates ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC wildcard non-existence proof is returned private, validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that returned NSEC wildcard non-existence proof for private zone validates ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC3 wildcard non-existence proof is returned auth ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec3 +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC3 wildcard non-existence proof is returned non-validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns2.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC3 wildcard non-existence proof is returned validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns3.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC3 wildcard non-existence proof is returned validating + CD ($n)"
+ret=0
+$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns5.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that returned NSEC3 wildcard non-existence proof validates ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns4.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC3 wildcard non-existence proof is returned private, validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns3.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that returned NSEC3 wildcard non-existence proof for private zone validates ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns4.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking RFC 4592 responses ..."
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: host3.example. QTYPE=MX, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 host3.example. MX IN > dig.out.ns1.test$n || ret=1
+grep '^host3.example..*IN.MX.10 host1.example.' dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: host3.example. QTYPE=A, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 host3.example. A IN > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: foo.bar.example. QTYPE=TXT, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 foo.bar.example TXT IN > dig.out.ns1.test$n || ret=1
+grep '^foo.bar.example..*IN.TXT."this is a wildcard"' dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: sub.*.example. QTYPE=MX, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 "sub.*.example." MX IN > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: _telnet._tcp.host1.example. QTYPE=SRV, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 _telnet._tcp.host1.example. SRV IN > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: host.subdel.example. QTYPE=A, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 host.subdel.example A IN > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1
+grep "subdel.example..*IN.NS.ns.example.com." dig.out.ns1.test$n > /dev/null || ret=1
+grep "subdel.example..*IN.NS.ns.example.net." dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: ghost.*.example. QTYPE=MX, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 "ghost.*.example" MX IN > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check wild card expansions by code point ($n)"
+ret=0
+i=0
+while test $i -lt 256
+do
+ x=`expr 00$i : '.*\(...\)$'`
+ $DIG $DIGOPTS @10.53.0.1 "\\$x.example" TXT > dig.out.ns1.$x.test$n
+ if test $i -le 32 -o $i -ge 127
+ then
+ grep '^\\'"$x"'\.example\..*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; }
+ # "=34 $=36 (=40 )=41 .=46 ;=59 \=92 @=64
+ elif test $i -eq 34 -o $i -eq 36 -o $i -eq 40 -o $i -eq 41 -o \
+ $i -eq 46 -o $i -eq 59 -o $i -eq 64 -o $i -eq 92
+ then
+ case $i in
+ 34) a='"';;
+ 36) a='$';;
+ 40) a='(';;
+ 41) a=')';;
+ 46) a='\.';;
+ 59) a=';';;
+ 64) a='@';;
+ 92) a='\\';;
+ *) a=''; echo_i "code point $x failed" ; ret=1 ;;
+ esac
+ grep '^\\'"$a"'\.example.*.*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; }
+ else
+ grep '^\\' dig.out.ns1.$x.test$n && { echo_i "code point $x failed" ; ret=1; }
+ fi
+ i=`expr $i + 1`
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/wildcard/tests_wildcard.py b/bin/tests/system/wildcard/tests_wildcard.py
new file mode 100755
index 0000000..66166f2
--- /dev/null
+++ b/bin/tests/system/wildcard/tests_wildcard.py
@@ -0,0 +1,112 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+"""
+Example property-based test for wildcard synthesis.
+Verifies that otherwise-empty zone with single wildcard record * A 192.0.2.1
+produces synthesized answers for <random_label>.test. A, and returns NODATA for
+<random_label>.test. when rdtype is not A.
+
+Limitations - untested properties:
+ - expansion works with multiple labels
+ - asterisk in qname does not cause expansion
+ - empty non-terminals prevent expansion
+ - or more generally any existing node prevents expansion
+ - DNSSEC record inclusion
+ - possibly others, see RFC 4592 and company
+ - content of authority & additional sections
+ - flags beyond RCODE
+ - special behavior of rdtypes like CNAME
+"""
+import pytest
+
+pytest.importorskip("dns")
+import dns.message
+import dns.name
+import dns.query
+import dns.rcode
+import dns.rdataclass
+import dns.rdatatype
+import dns.rrset
+
+pytest.importorskip("hypothesis")
+from hypothesis import given
+from hypothesis.strategies import binary, integers
+
+
+# labels of a zone with * A 192.0.2.1 wildcard
+WILDCARD_ZONE = ("allwild", "test", "")
+WILDCARD_RDTYPE = dns.rdatatype.A
+WILDCARD_RDATA = "192.0.2.1"
+IPADDR = "10.53.0.1"
+TIMEOUT = 5 # seconds, just a sanity check
+
+
+# Helpers
+def is_nonexpanding_rdtype(rdtype):
+ """skip meta types to avoid weird rcodes caused by AXFR etc.; RFC 6895"""
+ return not (
+ rdtype == WILDCARD_RDTYPE
+ or dns.rdatatype.is_metatype(rdtype) # known metatypes: OPT ...
+ or 128 <= rdtype <= 255
+ ) # unknown meta types
+
+
+def tcp_query(where, port, qname, qtype):
+ querymsg = dns.message.make_query(qname, qtype)
+ assert len(querymsg.question) == 1
+ return querymsg, dns.query.tcp(querymsg, where, port=port, timeout=TIMEOUT)
+
+
+def query(where, port, label, rdtype):
+ labels = (label,) + WILDCARD_ZONE
+ qname = dns.name.Name(labels)
+ return tcp_query(where, port, qname, rdtype)
+
+
+# Tests
+@given(
+ label=binary(min_size=1, max_size=63),
+ rdtype=integers(min_value=0, max_value=65535).filter(is_nonexpanding_rdtype),
+)
+def test_wildcard_rdtype_mismatch(label, rdtype, named_port):
+ """any label non-matching rdtype must result in to NODATA"""
+ check_answer_nodata(*query(IPADDR, named_port, label, rdtype))
+
+
+def check_answer_nodata(querymsg, answer):
+ assert querymsg.is_response(answer), str(answer)
+ assert answer.rcode() == dns.rcode.NOERROR, str(answer)
+ assert answer.answer == [], str(answer)
+
+
+@given(label=binary(min_size=1, max_size=63))
+def test_wildcard_match(label, named_port):
+ """any label with maching rdtype must result in wildcard data in answer"""
+ check_answer_noerror(*query(IPADDR, named_port, label, WILDCARD_RDTYPE))
+
+
+def check_answer_noerror(querymsg, answer):
+ assert querymsg.is_response(answer), str(answer)
+ assert answer.rcode() == dns.rcode.NOERROR, str(answer)
+ assert len(querymsg.question) == 1, str(answer)
+ expected_answer = [
+ dns.rrset.from_text(
+ querymsg.question[0].name,
+ 300, # TTL, ignored by dnspython comparison
+ dns.rdataclass.IN,
+ WILDCARD_RDTYPE,
+ WILDCARD_RDATA,
+ )
+ ]
+ assert answer.answer == expected_answer, str(answer)