diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:59:48 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:59:48 +0000 |
commit | 3b9b6d0b8e7f798023c9d109c490449d528fde80 (patch) | |
tree | 2e1c188dd7b8d7475cd163de9ae02c428343669b /bin/tests/system/staticstub/tests.sh | |
parent | Initial commit. (diff) | |
download | bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.tar.xz bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.zip |
Adding upstream version 1:9.18.19.upstream/1%9.18.19
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rwxr-xr-x | bin/tests/system/staticstub/tests.sh | 219 |
1 files changed, 219 insertions, 0 deletions
diff --git a/bin/tests/system/staticstub/tests.sh b/bin/tests/system/staticstub/tests.sh new file mode 100755 index 0000000..e0f5788 --- /dev/null +++ b/bin/tests/system/staticstub/tests.sh @@ -0,0 +1,219 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +. ../conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 +n=0 + +for conf in conf/good*.conf +do + n=$((n + 1)) + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +done + +for conf in conf/bad*.conf +do + n=$((n + 1)) + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +done + +n=$((n + 1)) +echo_i "trying an axfr that should be denied (NOTAUTH) ($n)" +ret=0 +$DIG $DIGOPTS +tcp data.example. @10.53.0.2 axfr > dig.out.ns2.test$n || ret=1 +grep "; Transfer failed." dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" +ret=0 + $DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt > dig.out.ns2.test$n \ + || ret=1 +grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" +ret=0 +$DIG $DIGOPTS +tcp +norec data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n \ + || ret=1 +grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "allow-query ACL ($n)" +ret=0 +$DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt -b 10.53.0.7 \ + > dig.out.ns2.test$n || ret=1 +grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "look for static-stub zone data with recursion (should be found) ($n)" +ret=0 +$DIG $DIGOPTS +tcp +noauth data.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +digcomp knowngood.dig.out.rec dig.out.ns2.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking authoritative NS is ignored for delegation ($n)" +ret=0 +# the auth server returns a different (and incorrect) NS for .example. +$DIG $DIGOPTS +tcp example. @10.53.0.2 ns > dig.out.ns2.test1.$n || ret=1 +grep "ns4.example." dig.out.ns2.test1.$n > /dev/null || ret=1 +# but static-stub configuration should still be used +$DIG $DIGOPTS +tcp data2.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 +grep "2nd test data" dig.out.ns2.test2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking queries for a child zone of the static-stub zone ($n)" +ret=0 +# prime the delegation to a child zone of the static-stub zone +$DIG $DIGOPTS +tcp data1.sub.example. @10.53.0.2 txt > dig.out.ns2.test1.$n || ret=1 +grep "1st sub test data" dig.out.ns2.test1.$n > /dev/null || ret=1 +# temporarily disable the the parent zone +copy_setports ns3/named.conf.in tmp +sed 's/EXAMPLE_ZONE_PLACEHOLDER//' tmp > ns3/named.conf +rndc_reload ns3 10.53.0.3 +# query the child zone again. this should directly go to the child and +# succeed. +for i in 0 1 2 3 4 5 6 7 8 9 +do + $DIG $DIGOPTS +tcp data2.sub.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 + grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null && break + sleep 1 +done +grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null || ret=1 +# re-enable the parent +copy_setports ns3/named.conf.in tmp +sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type primary; file "example.db.signed"; };/' tmp > ns3/named.conf +rndc_reload ns3 10.53.0.3 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking authoritative NS addresses are ignored for delegation ($n)" +ret=0 +# the auth server returns a different (and incorrect) A/AAA RR for .example. +$DIG $DIGOPTS +tcp example. @10.53.0.2 a > dig.out.ns2.test1.$n || ret=1 +grep "10.53.0.4" dig.out.ns2.test1.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp example. @10.53.0.2 aaaa > dig.out.ns2.test2.$n || ret=1 +grep "::1" dig.out.ns2.test2.$n > /dev/null || ret=1 +# reload the server. this will flush the ADB. +rndc_reload ns2 10.53.0.2 +# ask another RR that would require delegation. static-stub configuration +# should still be used instead of the authoritative A/AAAA cached above. +$DIG $DIGOPTS +tcp data3.example. @10.53.0.2 txt > dig.out.ns2.test3.$n || ret=1 +grep "3rd test data" dig.out.ns2.test3.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# the authoritative server of the query domain (example.com) is the apex +# name of the static-stub zone (example). in this case the static-stub +# configuration must be ignored and cached information must be used. +n=$((n + 1)) +echo_i "checking NS of static-stub is ignored when referenced from other domain ($n)" +ret=0 +$DIG $DIGOPTS +tcp data.example.com. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "example com data" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# check server-names +n=$((n + 1)) +echo_i "checking static-stub with a server-name ($n)" +ret=0 +$DIG $DIGOPTS +tcp data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "example org data" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +# Note: for a short term workaround we use ::1, assuming it's configured and +# usable for our tests. We should eventually use the test ULA and available +# checks introduced in change 2916. +if testsock6 ::1 +then + echo_i "checking IPv6 static-stub address ($n)" + ret=0 + $DIG $DIGOPTS +tcp data.example.info. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 + grep "example info data" dig.out.ns2.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +else + echo_i "SKIPPED: checking IPv6 static-stub address ($n)" +fi + +n=$((n + 1)) +echo_i "look for static-stub zone data with DNSSEC validation ($n)" +ret=0 +$DIG $DIGOPTS +tcp +dnssec data4.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep "4th test data" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "look for a child of static-stub zone data with DNSSEC validation ($n)" +ret=0 +$DIG $DIGOPTS +tcp +dnssec data3.sub.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep "3rd sub test data" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# reload with a different name server: existing zone shouldn't be reused. +n=$((n + 1)) +echo_i "checking server reload with a different static-stub config ($n)" +ret=0 +copy_setports ns2/named.conf.in tmp +sed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' tmp > ns2/named.conf +rndc_reload ns2 10.53.0.2 +$DIG $DIGOPTS +tcp data2.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "2nd example org data" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking static-stub of a undelegated tld resolves after DS query ($n)" +ret=0 +$DIG $DIGOPTS undelegated. @10.53.0.2 ds > dig.out.ns2.ds.test$n +$DIG $DIGOPTS undelegated. @10.53.0.2 soa > dig.out.ns2.soa.test$n +grep "status: NXDOMAIN" dig.out.ns2.ds.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns2.soa.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |