diff options
Diffstat (limited to '')
-rw-r--r-- | bin/tests/system/auth/clean.sh | 20 | ||||
-rw-r--r-- | bin/tests/system/auth/ns1/chaos.db | 23 | ||||
-rw-r--r-- | bin/tests/system/auth/ns1/example.com.db | 25 | ||||
-rw-r--r-- | bin/tests/system/auth/ns1/example.net.db | 22 | ||||
-rw-r--r-- | bin/tests/system/auth/ns1/named.conf.in | 44 | ||||
-rw-r--r-- | bin/tests/system/auth/ns2/named.conf.in | 37 | ||||
-rw-r--r-- | bin/tests/system/auth/setup.sh | 17 | ||||
-rw-r--r-- | bin/tests/system/auth/tests.sh | 192 | ||||
-rw-r--r-- | bin/tests/system/auth/tests_sh_auth.py | 14 |
9 files changed, 394 insertions, 0 deletions
diff --git a/bin/tests/system/auth/clean.sh b/bin/tests/system/auth/clean.sh new file mode 100644 index 0000000..5fb37ac --- /dev/null +++ b/bin/tests/system/auth/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */named.memstats +rm -f */named.run +rm -f */named.conf +rm -f dig.out.test* +rm -f ns2/example.com.bk +rm -f ns2/example.net.bk +rm -f ns*/managed-keys.bind* ns*/*mkeys* diff --git a/bin/tests/system/auth/ns1/chaos.db b/bin/tests/system/auth/ns1/chaos.db new file mode 100644 index 0000000..bbd489a --- /dev/null +++ b/bin/tests/system/auth/ns1/chaos.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ CH SOA ns root ( + 2018010100 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A ch-addr.example. 1001 +test A ch-addr.example. 1002 + A ch-addr.example. 1003 diff --git a/bin/tests/system/auth/ns1/example.com.db b/bin/tests/system/auth/ns1/example.com.db new file mode 100644 index 0000000..6768895 --- /dev/null +++ b/bin/tests/system/auth/ns1/example.com.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2018010100 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +www CNAME server.example.net. +inzone CNAME a.example.com. +a A 10.53.0.1 +dname DNAME @ diff --git a/bin/tests/system/auth/ns1/example.net.db b/bin/tests/system/auth/ns1/example.net.db new file mode 100644 index 0000000..29885ca --- /dev/null +++ b/bin/tests/system/auth/ns1/example.net.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2018010100 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +server A 10.53.0.100 diff --git a/bin/tests/system/auth/ns1/named.conf.in b/bin/tests/system/auth/ns1/named.conf.in new file mode 100644 index 0000000..9d0a517 --- /dev/null +++ b/bin/tests/system/auth/ns1/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation no; +}; + +view main in { + zone example.net { + type primary; + file "example.net.db"; + }; + + zone example.com { + type primary; + file "example.com.db"; + }; +}; + +view alt chaos { + zone example.chaos chaos { + type primary; + file "chaos.db"; + }; +}; diff --git a/bin/tests/system/auth/ns2/named.conf.in b/bin/tests/system/auth/ns2/named.conf.in new file mode 100644 index 0000000..9b82c50 --- /dev/null +++ b/bin/tests/system/auth/ns2/named.conf.in @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation no; +}; + +zone example.net { + type secondary; + primaries { 10.53.0.1; }; + file "example.net.bk"; +}; + +zone example.com { + type secondary; + primaries { 10.53.0.1; }; + file "example.com.bk"; +}; diff --git a/bin/tests/system/auth/setup.sh b/bin/tests/system/auth/setup.sh new file mode 100644 index 0000000..6929ec5 --- /dev/null +++ b/bin/tests/system/auth/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh new file mode 100644 index 0000000..6cd4a27 --- /dev/null +++ b/bin/tests/system/auth/tests.sh @@ -0,0 +1,192 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +. ../conf.sh + +DIGOPTS="+tcp -p ${PORT}" + +status=0 +n=0 + +n=$((n + 1)) +echo_i "wait for zones to finish transferring to ns2 ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + for zone in example.com example.net + do + $DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1 + grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +# +# If recursion is unrequested or unavailable, then cross-zone CNAME records +# should not be followed. If both requested and available, they should be. +# +n=$((n + 1)) +echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)" +ret=0 +$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)" +ret=0 +$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +# +# In-zone CNAME records should always be followed regardless of RD and RA. +# +n=$((n + 1)) +echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)" +ret=0 +$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)" +ret=0 +$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1 +grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1 +grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1 +grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 +grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1 +grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 +grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 +grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that CHAOS addresses are compared correctly ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n +lines=$(wc -l < dig.out.test$n) +[ ${lines:-0} -eq 2 ] || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/auth/tests_sh_auth.py b/bin/tests/system/auth/tests_sh_auth.py new file mode 100644 index 0000000..97233fa --- /dev/null +++ b/bin/tests/system/auth/tests_sh_auth.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_auth(run_tests_sh): + run_tests_sh() |