summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/auth
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--bin/tests/system/auth/clean.sh20
-rw-r--r--bin/tests/system/auth/ns1/chaos.db23
-rw-r--r--bin/tests/system/auth/ns1/example.com.db25
-rw-r--r--bin/tests/system/auth/ns1/example.net.db22
-rw-r--r--bin/tests/system/auth/ns1/named.conf.in44
-rw-r--r--bin/tests/system/auth/ns2/named.conf.in37
-rw-r--r--bin/tests/system/auth/setup.sh17
-rw-r--r--bin/tests/system/auth/tests.sh192
-rw-r--r--bin/tests/system/auth/tests_sh_auth.py14
9 files changed, 394 insertions, 0 deletions
diff --git a/bin/tests/system/auth/clean.sh b/bin/tests/system/auth/clean.sh
new file mode 100644
index 0000000..5fb37ac
--- /dev/null
+++ b/bin/tests/system/auth/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.conf
+rm -f dig.out.test*
+rm -f ns2/example.com.bk
+rm -f ns2/example.net.bk
+rm -f ns*/managed-keys.bind* ns*/*mkeys*
diff --git a/bin/tests/system/auth/ns1/chaos.db b/bin/tests/system/auth/ns1/chaos.db
new file mode 100644
index 0000000..bbd489a
--- /dev/null
+++ b/bin/tests/system/auth/ns1/chaos.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ CH SOA ns root (
+ 2018010100 ; serial
+ 1800 ; refresh (30 minutes)
+ 1800 ; retry (30 minutes)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A ch-addr.example. 1001
+test A ch-addr.example. 1002
+ A ch-addr.example. 1003
diff --git a/bin/tests/system/auth/ns1/example.com.db b/bin/tests/system/auth/ns1/example.com.db
new file mode 100644
index 0000000..6768895
--- /dev/null
+++ b/bin/tests/system/auth/ns1/example.com.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns root (
+ 2018010100 ; serial
+ 1800 ; refresh (30 minutes)
+ 1800 ; retry (30 minutes)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.1
+www CNAME server.example.net.
+inzone CNAME a.example.com.
+a A 10.53.0.1
+dname DNAME @
diff --git a/bin/tests/system/auth/ns1/example.net.db b/bin/tests/system/auth/ns1/example.net.db
new file mode 100644
index 0000000..29885ca
--- /dev/null
+++ b/bin/tests/system/auth/ns1/example.net.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns root (
+ 2018010100 ; serial
+ 1800 ; refresh (30 minutes)
+ 1800 ; retry (30 minutes)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.1
+server A 10.53.0.100
diff --git a/bin/tests/system/auth/ns1/named.conf.in b/bin/tests/system/auth/ns1/named.conf.in
new file mode 100644
index 0000000..9d0a517
--- /dev/null
+++ b/bin/tests/system/auth/ns1/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ dnssec-validation no;
+};
+
+view main in {
+ zone example.net {
+ type primary;
+ file "example.net.db";
+ };
+
+ zone example.com {
+ type primary;
+ file "example.com.db";
+ };
+};
+
+view alt chaos {
+ zone example.chaos chaos {
+ type primary;
+ file "chaos.db";
+ };
+};
diff --git a/bin/tests/system/auth/ns2/named.conf.in b/bin/tests/system/auth/ns2/named.conf.in
new file mode 100644
index 0000000..9b82c50
--- /dev/null
+++ b/bin/tests/system/auth/ns2/named.conf.in
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify no;
+ dnssec-validation no;
+};
+
+zone example.net {
+ type secondary;
+ primaries { 10.53.0.1; };
+ file "example.net.bk";
+};
+
+zone example.com {
+ type secondary;
+ primaries { 10.53.0.1; };
+ file "example.com.bk";
+};
diff --git a/bin/tests/system/auth/setup.sh b/bin/tests/system/auth/setup.sh
new file mode 100644
index 0000000..6929ec5
--- /dev/null
+++ b/bin/tests/system/auth/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh
new file mode 100644
index 0000000..6cd4a27
--- /dev/null
+++ b/bin/tests/system/auth/tests.sh
@@ -0,0 +1,192 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+. ../conf.sh
+
+DIGOPTS="+tcp -p ${PORT}"
+
+status=0
+n=0
+
+n=$((n + 1))
+echo_i "wait for zones to finish transferring to ns2 ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ for zone in example.com example.net
+ do
+ $DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1
+ grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+ done
+ [ $ret -eq 0 ] && break
+ sleep 1
+done
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+#
+# If recursion is unrequested or unavailable, then cross-zone CNAME records
+# should not be followed. If both requested and available, they should be.
+#
+n=$((n + 1))
+echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+#
+# In-zone CNAME records should always be followed regardless of RD and RA.
+#
+n=$((n + 1))
+echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
+grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
+grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that CHAOS addresses are compared correctly ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n
+lines=$(wc -l < dig.out.test$n)
+[ ${lines:-0} -eq 2 ] || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/auth/tests_sh_auth.py b/bin/tests/system/auth/tests_sh_auth.py
new file mode 100644
index 0000000..97233fa
--- /dev/null
+++ b/bin/tests/system/auth/tests_sh_auth.py
@@ -0,0 +1,14 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_auth(run_tests_sh):
+ run_tests_sh()