diff options
Diffstat (limited to '')
51 files changed, 3129 insertions, 0 deletions
diff --git a/bin/tests/system/resolver/ans10/ans.py b/bin/tests/system/resolver/ans10/ans.py new file mode 100644 index 0000000..6e95dbb --- /dev/null +++ b/bin/tests/system/resolver/ans10/ans.py @@ -0,0 +1,152 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import time +import functools + +import dns, dns.message, dns.query, dns.flags +from dns.rdatatype import * +from dns.rdataclass import * +from dns.rcode import * +from dns.name import * + + +# Log query to file +def logquery(type, qname): + with open("qlog", "a") as f: + f.write("%s %s\n", type, qname) + + +############################################################################ +# Respond to a DNS query. +# If there are EDNS options present return FORMERR copying the OPT record. +# Otherwise: +# SOA gets a unsigned response. +# NS gets a unsigned response. +# A gets a unsigned response. +# All other types get a unsigned NODATA response. +############################################################################ +def create_response(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, qname)) + print("%s %s" % (typename, qname), end=" ") + + if m.edns != -1 and len(m.options) != 0: + r = dns.message.make_response(m) + r.use_edns( + edns=m.edns, ednsflags=m.ednsflags, payload=m.payload, options=m.options + ) + r.set_rcode(FORMERR) + else: + r = dns.message.make_response(m) + r.set_rcode(NOERROR) + if rrtype == A: + r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10")) + elif rrtype == NS: + r.answer.append(dns.rrset.from_text(qname, 1, IN, NS, ".")) + elif rrtype == SOA: + r.answer.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0")) + else: + r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0")) + r.flags |= dns.flags.AA + return r + + +def sigterm(signum, frame): + print("Shutting down now...") + os.remove("ans.pid") + running = False + sys.exit(0) + + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4 = "10.53.0.10" +ip6 = "fd92:7065:b8e:ffff::10" + +try: + port = int(os.environ["PORT"]) +except: + port = 5300 + +query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_socket.bind((ip4, port)) +havev6 = True +try: + query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + try: + query6_socket.bind((ip6, port)) + except: + query6_socket.close() + havev6 = False +except: + havev6 = False +signal.signal(signal.SIGTERM, sigterm) + +f = open("ans.pid", "w") +pid = os.getpid() +print(pid, file=f) +f.close() + +running = True + +print("Listening on %s port %d" % (ip4, port)) +if havev6: + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") + +if havev6: + input = [query4_socket, query6_socket] +else: + input = [query4_socket] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == query4_socket or s == query6_socket: + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) + # Handle incoming queries + msg = s.recvfrom(65535) + rsp = create_response(msg[0]) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + else: + print("NO RESPONSE") + if not running: + break diff --git a/bin/tests/system/resolver/ans2/ans.pl b/bin/tests/system/resolver/ans2/ans.pl new file mode 100644 index 0000000..aa1d51b --- /dev/null +++ b/bin/tests/system/resolver/ans2/ans.pl @@ -0,0 +1,147 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Ad hoc name server +# + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.2", + LocalPort => $localport, Proto => "udp") or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +for (;;) { + $sock->recv($buf, 512); + + print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n"; + + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + if ($qname eq "com" && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("com 300 NS a.root-servers.nil.")); + } elsif ($qname eq "example.com" && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("example.com 300 NS a.root-servers.nil.")); + } elsif ($qname eq "cname1.example.com") { + # Data for the "cname + other data / 1" test + $packet->push("answer", new Net::DNS::RR("cname1.example.com 300 CNAME cname1.example.com")); + $packet->push("answer", new Net::DNS::RR("cname1.example.com 300 A 1.2.3.4")); + } elsif ($qname eq "cname2.example.com") { + # Data for the "cname + other data / 2" test: same RRs in opposite order + $packet->push("answer", new Net::DNS::RR("cname2.example.com 300 A 1.2.3.4")); + $packet->push("answer", new Net::DNS::RR("cname2.example.com 300 CNAME cname2.example.com")); + } elsif ($qname =~ /redirect\.com/) { + $packet->push("authority", new Net::DNS::RR("redirect.com 300 NS ns.redirect.com")); + $packet->push("additional", new Net::DNS::RR("ns.redirect.com 300 A 10.53.0.6")); + } elsif ($qname =~ /\.tld1/) { + $packet->push("authority", new Net::DNS::RR("tld1 300 NS ns.tld1")); + $packet->push("additional", new Net::DNS::RR("ns.tld1 300 A 10.53.0.6")); + } elsif ($qname =~ /\.tld2/) { + $packet->push("authority", new Net::DNS::RR("tld2 300 NS ns.tld2")); + $packet->push("additional", new Net::DNS::RR("ns.tld2 300 A 10.53.0.7")); + } elsif ($qname eq "org" && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("org 300 NS a.root-servers.nil.")); + } elsif ($qname eq "example.org" && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("example.org 300 NS a.root-servers.nil.")); + } elsif (($qname eq "baddname.example.org" || $qname eq "gooddname.example.org") && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("example.org 300 NS a.root-servers.nil.")); + } elsif ($qname eq "www.example.org" || + $qname eq "badcname.example.org" || + $qname eq "goodcname.example.org" || + $qname eq "foo.baddname.example.org" || + $qname eq "foo.gooddname.example.org") { + # Data for address/alias filtering. + $packet->header->aa(1); + if ($qtype eq "A") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 A 192.0.2.1")); + } elsif ($qtype eq "AAAA") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 AAAA 2001:db8:beef::1")); + } + } elsif ($qname eq "net" && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("net 300 NS a.root-servers.nil.")); + } elsif ($qname =~ /example\.net/) { + $packet->push("authority", new Net::DNS::RR("example.net 300 NS ns.example.net")); + $packet->push("additional", new Net::DNS::RR("ns.example.net 300 A 10.53.0.3")); + } elsif ($qname =~ /lame\.example\.org/) { + $packet->header->ad(0); + $packet->header->aa(0); + $packet->push("authority", new Net::DNS::RR("lame.example.org 300 NS ns.lame.example.org")); + $packet->push("additional", new Net::DNS::RR("ns.lame.example.org 300 A 10.53.0.3")); + } elsif ($qname =~ /sub\.example\.org/) { + # Data for CNAME/DNAME filtering. The final answers are + # expected to be accepted regardless of the filter setting. + $packet->push("authority", new Net::DNS::RR("sub.example.org 300 NS ns.sub.example.org")); + $packet->push("additional", new Net::DNS::RR("ns.sub.example.org 300 A 10.53.0.3")); + } elsif ($qname =~ /glue-in-answer\.example\.org/) { + $packet->push("answer", new Net::DNS::RR("ns.glue-in-answer.example.org 300 A 10.53.0.3")); + $packet->push("authority", new Net::DNS::RR("glue-in-answer.example.org 300 NS ns.glue-in-answer.example.org")); + $packet->push("additional", new Net::DNS::RR("ns.glue-in-answer.example.org 300 A 10.53.0.3")); + } elsif ($qname =~ /\.broken/ || $qname =~ /^broken/) { + # Delegation to broken TLD. + $packet->push("authority", new Net::DNS::RR("broken 300 NS ns.broken")); + $packet->push("additional", new Net::DNS::RR("ns.broken 300 A 10.53.0.4")); + } elsif ($qname =~ /\.partial-formerr/) { + $packet->header->rcode("FORMERR"); + } else { + # Data for the "bogus referrals" test + $packet->push("authority", new Net::DNS::RR("below.www.example.com 300 NS ns.below.www.example.com")); + $packet->push("additional", new Net::DNS::RR("ns.below.www.example.com 300 A 10.53.0.3")); + } + + $sock->send($packet->data); + + print "RESPONSE:\n"; + $packet->print; + print "\n"; +} diff --git a/bin/tests/system/resolver/ans3/ans.pl b/bin/tests/system/resolver/ans3/ans.pl new file mode 100644 index 0000000..893c9ed --- /dev/null +++ b/bin/tests/system/resolver/ans3/ans.pl @@ -0,0 +1,191 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Ad hoc name server +# + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $server_addr = "10.53.0.3"; + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +sub handleQuery { + my $buf = shift; + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + $packet->header->aa(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + if ($qname eq "example.net" && $qtype eq "NS") { + $packet->push("answer", new Net::DNS::RR($qname . " 300 NS ns.example.net")); + $packet->push("additional", new Net::DNS::RR("ns.example.net 300 A 10.53.0.3")); + } elsif ($qname eq "ns.example.net") { + $packet->push("answer", new Net::DNS::RR($qname . " 300 A 10.53.0.3")); + } elsif ($qname eq "nodata.example.net") { + # Do not add a SOA RRset. + } elsif ($qname eq "nxdomain.example.net") { + # Do not add a SOA RRset. + $packet->header->rcode(NXDOMAIN); + } elsif ($qname eq "www.example.net") { + # Data for address/alias filtering. + if ($qtype eq "A") { + $packet->push("answer", new Net::DNS::RR($qname . " 300 A 192.0.2.1")); + } elsif ($qtype eq "AAAA") { + $packet->push("answer", new Net::DNS::RR($qname . " 300 AAAA 2001:db8:beef::1")); + } + } elsif ($qname eq "badcname.example.net") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 CNAME badcname.example.org")); + } elsif (($qname eq "baddname.example.net" || $qname eq "gooddname.example.net") && $qtype eq "NS") { + $packet->push("authority", new Net::DNS::RR("example.net IN SOA (1 2 3 4 5)")) + } elsif ($qname eq "foo.baddname.example.net") { + $packet->push("answer", + new Net::DNS::RR("baddname.example.net" . + " 300 DNAME baddname.example.org")); + } elsif ($qname eq "foo.gooddname.example.net") { + $packet->push("answer", + new Net::DNS::RR("gooddname.example.net" . + " 300 DNAME gooddname.example.org")); + } elsif ($qname eq "goodcname.example.net") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 CNAME goodcname.example.org")); + } elsif ($qname =~ /^nodata\.example\.net$/i) { + $packet->header->aa(1); + } elsif ($qname =~ /^nxdomain\.example\.net$/i) { + $packet->header->aa(1); + $packet->header->rcode(NXDOMAIN); + } elsif ($qname =~ /lame\.example\.org/) { + $packet->header->ad(0); + $packet->header->aa(0); + $packet->push("authority", new Net::DNS::RR("lame.example.org 300 NS ns.lame.example.org")); + $packet->push("additional", new Net::DNS::RR("ns.lame.example.org 300 A 10.53.0.3")); + } elsif ($qname eq "large-referral.example.net") { + for (my $i = 1; $i < 1000; $i++) { + $packet->push("authority", new Net::DNS::RR("large-referral.example.net 300 NS ns" . $i . ".fake.redirect.com")); + } + # No glue records + } elsif ($qname eq "foo.bar.sub.tld1") { + $packet->push("answer", new Net::DNS::RR("$qname 300 TXT baz")); + } elsif ($qname eq "cname.sub.example.org") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 CNAME ok.sub.example.org")); + } elsif ($qname eq "ok.sub.example.org") { + $packet->push("answer", + new Net::DNS::RR($qname . " 300 A 192.0.2.1")); + } elsif ($qname eq "www.dname.sub.example.org") { + $packet->push("answer", + new Net::DNS::RR("dname.sub.example.org" . + " 300 DNAME ok.sub.example.org")); + } elsif ($qname eq "www.ok.sub.example.org") { + $packet->push("answer", + new Net::DNS::RR($qname . " 300 A 192.0.2.1")); + } elsif ($qname eq "foo.glue-in-answer.example.org") { + $packet->push("answer", new Net::DNS::RR($qname . " 300 A 192.0.2.1")); + } elsif ($qname eq "ns.example.net") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 A 10.53.0.3")); + } elsif ($qname =~ /\.partial-formerr/) { + $packet->push("answer", + new Net::DNS::RR($qname . " 1 A 10.53.0.3")); + } else { + $packet->push("answer", new Net::DNS::RR("www.example.com 300 A 1.2.3.4")); + } + + print "RESPONSE:\n"; + $packet->print; + + return $packet->data; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($tcpsock), 1) = 1; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + my $result = handleQuery($buf); + my $num_chars = $udpsock->send($result); + print " Sent $num_chars bytes via UDP\n"; + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $conn = $tcpsock->accept; + my $buf; + for (;;) { + my $lenbuf; + my $n = $conn->sysread($lenbuf, 2); + last unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + last unless $n == $len; + print "TCP request\n"; + my $result = handleQuery($buf); + $len = length($result); + $conn->syswrite(pack("n", $len), 2); + $n = $conn->syswrite($result, $len); + print " Sent: $n chars via TCP\n"; + } + $conn->close; + } +} diff --git a/bin/tests/system/resolver/ans8/ans.pl b/bin/tests/system/resolver/ans8/ans.pl new file mode 100644 index 0000000..a3d06b6 --- /dev/null +++ b/bin/tests/system/resolver/ans8/ans.pl @@ -0,0 +1,177 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use IO::File; +use IO::Socket; +use Data::Dumper; +use Net::DNS; +use Net::DNS::Packet; +use strict; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +my $server_addr = "10.53.0.8"; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +print "listening on $server_addr:$localport.\n"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!";; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +sub handleUDP { + my ($buf) = @_; + my $request; + + if ($Net::DNS::VERSION > 0.68) { + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($request, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + my @questions = $request->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + my $qclass = $questions[0]->qclass; + my $id = $request->header->id; + + my $response = new Net::DNS::Packet($qname, $qtype, $qclass); + $response->header->qr(1); + $response->header->aa(1); + $response->header->tc(0); + $response->header->id($id); + + # Responses to queries for no-questions/NS and ns.no-questions/A are + # _not_ malformed or truncated. + if ($qname eq "no-questions" && $qtype eq "NS") { + $response->push("answer", new Net::DNS::RR($qname . " 300 NS ns.no-questions")); + $response->push("additional", new Net::DNS::RR("ns.no-questions. 300 A 10.53.0.8")); + return $response->data; + } elsif ($qname eq "ns.no-questions") { + $response->push("answer", new Net::DNS::RR($qname . " 300 A 10.53.0.8")) + if ($qtype eq "A"); + return $response->data; + } elsif ($qname =~ /\.formerr-to-all$/) { + $response->header->rcode("FORMERR"); + return $response->data; + } + + # don't use Net::DNS to construct the header only reply as early + # versions just get it completely wrong. + + if ($qname eq "truncated.no-questions") { + # QR, AA, TC: forces TCP retry + return (pack("nnnnnn", $id, 0x8600, 0, 0, 0, 0)); + } elsif ($qname eq "tcpalso.no-questions") { + # QR, REFUSED: forces TCP retry + return (pack("nnnnnn", $id, 0x8205, 0, 0, 0, 0)); + } + # QR, AA + return (pack("nnnnnn", $id, 0x8400, 0, 0, 0, 0)); +} + +sub handleTCP { + my ($buf) = @_; + my $request; + + if ($Net::DNS::VERSION > 0.68) { + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($request, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + my @questions = $request->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + my $qclass = $questions[0]->qclass; + my $id = $request->header->id; + + my @results = (); + my $response = new Net::DNS::Packet($qname, $qtype, $qclass); + + $response->header->qr(1); + $response->header->aa(1); + $response->header->id($id); + $response->push("answer", new Net::DNS::RR("$qname 300 A 1.2.3.4")); + + if ($qname eq "tcpalso.no-questions") { + # for this qname we also return a bad reply over TCP + # QR, REFUSED, no question section + push (@results, pack("nnnnnn", $id, 0x8005, 0, 0, 0, 0)); + } else { + push(@results, $response->data); + } + + return \@results; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($tcpsock), 1) = 1; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + my $result = handleUDP($buf); + my $num_chars = $udpsock->send($result); + print " Sent $num_chars bytes via UDP\n"; + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $conn = $tcpsock->accept; + my $buf; + for (;;) { + my $lenbuf; + my $n = $conn->sysread($lenbuf, 2); + last unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + last unless $n == $len; + print "TCP request\n"; + my $result = handleTCP($buf); + foreach my $response (@$result) { + $len = length($response); + $n = $conn->syswrite(pack("n", $len), 2); + $n = $conn->syswrite($response, $len); + print " Sent: $n chars via TCP\n"; + } + } + $conn->close; + } +} diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh new file mode 100644 index 0000000..d4ff983 --- /dev/null +++ b/bin/tests/system/resolver/clean.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after resolver tests. +# +rm -f ./*/named.conf +rm -f ./*/named.memstats +rm -f ./*/named.run ./*/named.run.prev +rm -f ./*/ans.run +rm -f ./*/*.jdb +rm -f dig.out dig.out.* dig.*.out.* +rm -f dig.*.foo.* +rm -f dig.*.bar.* +rm -f dig.*.prime.* +rm -f nextpart.out.* +rm -f ns4/tld.db +rm -f ns6/K* +rm -f ns6/example.net.db.signed ns6/example.net.db +rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db +rm -f ns6/dsset-ds.example.net* +rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl +rm -f ns6/named.stats* +rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl +rm -f ns7/server.db ns7/server.db.jnl +rm -f resolve.out.*.test* +rm -f .digrc +rm -f ns*/named.lock +rm -f ns5/trusted.conf +rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/resolver/ns1/chaostest.db b/bin/tests/system/resolver/ns1/chaostest.db new file mode 100644 index 0000000..153f31d --- /dev/null +++ b/bin/tests/system/resolver/ns1/chaostest.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ CHAOS SOA @ @ 1970010100 86400 600 86400 300 +@ CHAOS NS @ +version CHAOS TXT "CH 1.0" +hostname CHAOS TXT "unknown" diff --git a/bin/tests/system/resolver/ns1/named.conf.in b/bin/tests/system/resolver/ns1/named.conf.in new file mode 100644 index 0000000..f0f9571 --- /dev/null +++ b/bin/tests/system/resolver/ns1/named.conf.in @@ -0,0 +1,79 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; } + except-from { "example.org"; }; + deny-answer-aliases { "example.org"; } + except-from { "goodcname.example.net"; + "gooddname.example.net"; }; + allow-query {!10.53.0.8; any; }; + max-zone-ttl unlimited; + attach-cache "globalcache"; +}; + +server 10.53.0.3 { + tcp-only yes; +}; + +server 10.42.23.3/32 { + notify-source 10.42.22.1; + query-source address 10.42.22.1 port 0; + transfer-source 10.42.22.1; +}; + +server fd92:7065:b8e:ffff::1000 { + notify-source-v6 fd92:7065:b8e:ffff::1001; + query-source-v6 address fd92:7065:b8e:ffff::1001 port 0; + transfer-source-v6 fd92:7065:b8e:ffff::1001; +}; + +/* + * Must be first view so that there is a CH cache with name + * "globalcache" before the recursive "default"/IN view is configured. + */ +view "class" chaos { + zone "chaostest" CHAOS { + type primary; + file "chaostest.db"; + }; +}; + +/* + * Must be second view so that so that we can check we don't attach to the + * "globalcache"/CH cache. + */ +view "default" { + zone "." { + type hint; + file "root.hint"; + }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns1/root.hint b/bin/tests/system/resolver/ns1/root.hint new file mode 100644 index 0000000..993227d --- /dev/null +++ b/bin/tests/system/resolver/ns1/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.2 diff --git a/bin/tests/system/resolver/ns4/broken.db b/bin/tests/system/resolver/ns4/broken.db new file mode 100644 index 0000000..eb64f85 --- /dev/null +++ b/bin/tests/system/resolver/ns4/broken.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.tld. +ns A 10.53.0.4 +$TTL 5 +sub.broken. NS ns.sub.broken. +ns.sub.broken. A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns4/child.server.db b/bin/tests/system/resolver/ns4/child.server.db new file mode 100644 index 0000000..188eb4a --- /dev/null +++ b/bin/tests/system/resolver/ns4/child.server.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns +ns A 10.53.0.4 +foo TXT "From NS 4" +bar TXT "From NS 4" diff --git a/bin/tests/system/resolver/ns4/moves.db b/bin/tests/system/resolver/ns4/moves.db new file mode 100644 index 0000000..dc1c396 --- /dev/null +++ b/bin/tests/system/resolver/ns4/moves.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.server. +foo TXT "From NS 4" +bar TXT "From NS 4" diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in new file mode 100644 index 0000000..281c2ca --- /dev/null +++ b/bin/tests/system/resolver/ns4/named.conf.in @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + /* test that named loads with root-delegation-only */ + root-delegation-only; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "moves" { + type primary; + file "moves.db"; +}; + +zone "child.server" { + type primary; + file "child.server.db"; +}; + +zone "tld" { + type primary; + file "tld.db"; +}; + +zone "broken" { + type primary; + file "broken.db"; +}; + +zone "sourcens" { + type primary; + file "sourcens.db"; +}; + +zone "v4only.net" { + type primary; + file "v4only.net.db"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa new file mode 100644 index 0000000..be78cc2 --- /dev/null +++ b/bin/tests/system/resolver/ns4/named.noaa @@ -0,0 +1,12 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Add -T noaa. diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db new file mode 100644 index 0000000..4e4418b --- /dev/null +++ b/bin/tests/system/resolver/ns4/root.db @@ -0,0 +1,39 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.4 +all-cnames NS cname.tld +delegation-only. NS ns.delegation-only. +ns.delegation-only. A 10.53.0.6 +example.net. NS ns.example.net. +ns.example.net. A 10.53.0.6 +no-questions. NS ns.no-questions. +ns.no-questions. A 10.53.0.8 +formerr-to-all. NS ns.formerr-to-all. +ns.formerr-to-all. A 10.53.0.8 +sourcens. NS ns.sourcens. +ns.sourcens. A 10.53.0.4 +targetns. NS ns.targetns. +ns.targetns. A 10.53.0.6 +partial-formerr. NS ns.partial-formerr. +ns.partial-formerr. A 10.53.0.2 +ns.partial-formerr. A 10.53.0.3 +options-formerr. NS ns.options-formerr. +ns.options-formerr. A 10.53.0.10 diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db new file mode 100644 index 0000000..3567cfb --- /dev/null +++ b/bin/tests/system/resolver/ns4/sourcens.db @@ -0,0 +1,91 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This zone contains a set of delegations with varying numbers of NS +; records. This is used to check that BIND is limiting the number of +; NS records it follows when resolving a delegation. It tests all +; numbers of NS records up to twice the number followed. + +$TTL 60 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns +ns A 10.53.0.4 + +target1 NS ns.fake11.targetns. + +target2 NS ns.fake21.targetns. + NS ns.fake22.targetns. + +target3 NS ns.fake31.targetns. + NS ns.fake32.targetns. + NS ns.fake33.targetns. + +target4 NS ns.fake41.targetns. + NS ns.fake42.targetns. + NS ns.fake43.targetns. + NS ns.fake44.targetns. + +target5 NS ns.fake51.targetns. + NS ns.fake52.targetns. + NS ns.fake53.targetns. + NS ns.fake54.targetns. + NS ns.fake55.targetns. + +target6 NS ns.fake61.targetns. + NS ns.fake62.targetns. + NS ns.fake63.targetns. + NS ns.fake64.targetns. + NS ns.fake65.targetns. + NS ns.fake66.targetns. + +target7 NS ns.fake71.targetns. + NS ns.fake72.targetns. + NS ns.fake73.targetns. + NS ns.fake74.targetns. + NS ns.fake75.targetns. + NS ns.fake76.targetns. + NS ns.fake77.targetns. + +target8 NS ns.fake81.targetns. + NS ns.fake82.targetns. + NS ns.fake83.targetns. + NS ns.fake84.targetns. + NS ns.fake85.targetns. + NS ns.fake86.targetns. + NS ns.fake87.targetns. + NS ns.fake88.targetns. + +target9 NS ns.fake91.targetns. + NS ns.fake92.targetns. + NS ns.fake93.targetns. + NS ns.fake94.targetns. + NS ns.fake95.targetns. + NS ns.fake96.targetns. + NS ns.fake97.targetns. + NS ns.fake98.targetns. + NS ns.fake99.targetns. + +target10 NS ns.fake101.targetns. + NS ns.fake102.targetns. + NS ns.fake103.targetns. + NS ns.fake104.targetns. + NS ns.fake105.targetns. + NS ns.fake106.targetns. + NS ns.fake107.targetns. + NS ns.fake108.targetns. + NS ns.fake109.targetns. + NS ns.fake1010.targetns. diff --git a/bin/tests/system/resolver/ns4/tld1.db b/bin/tests/system/resolver/ns4/tld1.db new file mode 100644 index 0000000..03d7908 --- /dev/null +++ b/bin/tests/system/resolver/ns4/tld1.db @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.tld. +ns A 10.53.0.4 +$TTL 5 +to-be-removed NS ns.to-be-removed +ns.to-be-removed A 10.53.0.6 +fetch.tld. NS ns.fetch.tld. +ns.fetch.tld. A 10.53.0.6 +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 +cname CNAME ns7 +ns7 A 10.53.0.7 +mixedttl 10 A 10.0.0.1 +mixedttl 15 TXT a TXT record +mixedttl 20 AAAA 2001:db8::1 diff --git a/bin/tests/system/resolver/ns4/tld2.db b/bin/tests/system/resolver/ns4/tld2.db new file mode 100644 index 0000000..c3a96d9 --- /dev/null +++ b/bin/tests/system/resolver/ns4/tld2.db @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.tld. +ns A 10.53.0.4 +fetch.tld. NS ns.fetch.tld. +ns.fetch.tld. A 10.53.0.6 +fetchall 10 A 1.2.3.4 +fetchall 10 AAAA ::1 +fetchall 10 TXT A short ttl +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 +cname CNAME ns7 +ns7 A 10.53.0.7 +mixedttl 10 A 10.0.0.1 +mixedttl 15 TXT a TXT record +mixedttl 20 AAAA 2001:db8::1 diff --git a/bin/tests/system/resolver/ns4/v4only.net.db b/bin/tests/system/resolver/ns4/v4only.net.db new file mode 100644 index 0000000..b097f3a --- /dev/null +++ b/bin/tests/system/resolver/ns4/v4only.net.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS v4.nameserver. + A 10.0.0.1 +* CNAME @ diff --git a/bin/tests/system/resolver/ns5/child.server.db b/bin/tests/system/resolver/ns5/child.server.db new file mode 100644 index 0000000..2517b6c --- /dev/null +++ b/bin/tests/system/resolver/ns5/child.server.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns +ns A 10.53.0.5 +foo TXT "From NS 5" +bar TXT "From NS 5" diff --git a/bin/tests/system/resolver/ns5/moves.db b/bin/tests/system/resolver/ns5/moves.db new file mode 100644 index 0000000..57f4e91 --- /dev/null +++ b/bin/tests/system/resolver/ns5/moves.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.server. +foo TXT "From NS 5" +bar TXT "From NS 5" diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in new file mode 100644 index 0000000..6ad4e6a --- /dev/null +++ b/bin/tests/system/resolver/ns5/named.conf.in @@ -0,0 +1,60 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + querylog yes; + prefetch 4 10; +}; + +server 10.53.0.7 { + edns-version 0; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "moves" { + type primary; + file "moves.db"; +}; + +zone "child.server" { + type primary; + file "child.server.db"; +}; + +zone "delegation-only" { + type delegation-only; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns5/root.hint b/bin/tests/system/resolver/ns5/root.hint new file mode 100644 index 0000000..3685f54 --- /dev/null +++ b/bin/tests/system/resolver/ns5/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.4 diff --git a/bin/tests/system/resolver/ns6/broken.db b/bin/tests/system/resolver/ns6/broken.db new file mode 100644 index 0000000..85b36bf --- /dev/null +++ b/bin/tests/system/resolver/ns6/broken.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 +ns0 IN A 10.53.0.6 +ns1 IN A 10.53.0.6 +ns2 IN A 10.53.0.6 +ns3 IN A 10.53.0.6 +ns4 IN A 10.53.0.6 +ns5 IN A 10.53.0.6 +ns6 IN A 10.53.0.6 +ns7 IN A 10.53.0.6 +ns8 IN A 10.53.0.6 +ns9 IN A 10.53.0.6 +$TTL 1 +@ IN A 10.53.0.6 +www.sub IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/delegation-only.db b/bin/tests/system/resolver/ns6/delegation-only.db new file mode 100644 index 0000000..b144338 --- /dev/null +++ b/bin/tests/system/resolver/ns6/delegation-only.db @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ IN SOA ns marka.isc.org. 1 0 0 0 120 +@ IN NS ns +@ IN DNSKEY 256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF +; +; Delegation only test CDS and CDNSKEY records. These should be +; returned even if delegation-only is set for this zone. +; +@ IN A 1.2.3.4 +@ IN AAAA c::1.2.3.4 +@ IN CDS 12023 7 2 36FB69A752615831B47EA6EF9EA4619D0FB08ABDA69EA3ED200F4C02FF4921D4 +@ IN CDNSKEY 256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF +; +; Delegation only test CDS and CDNSKEY records. These should be rejected +; as they are not at the zone apex. +; +a IN A 1.2.3.4 +aaaa IN AAAA c::1.2.3.4 +cds IN CDS 21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2 +cdnskey IN CDNSKEY 256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF +; +ns IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/ds.example.net.db.in b/bin/tests/system/resolver/ns6/ds.example.net.db.in new file mode 100644 index 0000000..fad382b --- /dev/null +++ b/bin/tests/system/resolver/ns6/ds.example.net.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/example.net.db.in b/bin/tests/system/resolver/ns6/example.net.db.in new file mode 100644 index 0000000..4bef728 --- /dev/null +++ b/bin/tests/system/resolver/ns6/example.net.db.in @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +@ IN MX 0 mail +ns IN A 10.53.0.6 +mail IN A 10.53.0.6 +www IN HTTPS 0 http-server +http-server IN A 10.53.0.6 +https-loop IN HTTPS 0 https-next +https-loop IN A 10.53.0.6 +https-next IN HTTPS 0 https-loop +https-next IN A 10.53.0.7 +https-cname IN HTTPS 0 cname-server +cname-server IN CNAME cname-next +cname-next IN CNAME http-server +https-cname-loop IN HTTPS 0 https-cname-loop0 +https-cname-loop0 IN CNAME https-cname-loop0 +fetch 10 IN TXT A short ttl +non-zero 10 IN TXT A short ttl +zero 0 IN TXT A zero ttl +$TTL 13 +ds IN NS ns.ds +ns.ds IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/fetch.tld.db b/bin/tests/system/resolver/ns6/fetch.tld.db new file mode 100644 index 0000000..1d59e5a --- /dev/null +++ b/bin/tests/system/resolver/ns6/fetch.tld.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.fetch.tld. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.fetch.tld. +ns.fetch.tld. A 10.53.0.6 + +@ 13 TXT A short ttl diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh new file mode 100644 index 0000000..2141a30 --- /dev/null +++ b/bin/tests/system/resolver/ns6/keygen.sh @@ -0,0 +1,38 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +# +# We use rsasha256 here to get a ZSK + KSK that don't fit in 512 bytes. +# +zone=ds.example.net +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=$($KEYGEN -q -a rsasha256 -fk $zone) +zsk=$($KEYGEN -q -a rsasha256 -b 2048 $zone) +cat $ksk.key $zsk.key >> $zonefile +$SIGNER -P -o $zone $zonefile > /dev/null + +zone=example.net +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone) +cat $ksk.key $zsk.key dsset-ds.example.net. >> $zonefile +$SIGNER -P -o $zone $zonefile > /dev/null + +# Configure a static key to be used by delv +keyfile_to_static_ds $ksk > ../ns5/trusted.conf diff --git a/bin/tests/system/resolver/ns6/moves.db b/bin/tests/system/resolver/ns6/moves.db new file mode 100644 index 0000000..06634ee --- /dev/null +++ b/bin/tests/system/resolver/ns6/moves.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.server. +foo TXT "From NS 6" +bar TXT "From NS 6" diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in new file mode 100644 index 0000000..769b577 --- /dev/null +++ b/bin/tests/system/resolver/ns6/named.conf.in @@ -0,0 +1,102 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { fd92:7065:b8e:ffff::6; }; + recursion no; + dnssec-validation no; + querylog yes; + statistics-file "named.stats"; + /* + * test that named loads with root-delegation-only that + * has a exclude list. + */ + root-delegation-only exclude { "a"; }; + max-udp-size 4096; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example.net" { + type primary; + file "example.net.db.signed"; + allow-update { any; }; +}; + +zone "ds.example.net" { + type primary; + file "ds.example.net.db.signed"; + allow-update { any; }; +}; + +zone "to-be-removed.tld" { + type primary; + file "to-be-removed.tld.db"; + allow-update { any; }; +}; + +zone "broken" { + type primary; + file "broken.db"; + allow-update { any; }; +}; + +zone "redirect.com" { + type primary; + file "redirect.com.db"; +}; + +zone "tld1" { + type primary; + file "tld1.db"; +}; + +zone "no-edns-version.tld" { + type primary; + file "no-edns-version.tld.db"; +}; + +zone "delegation-only" { + type primary; + file "delegation-only.db"; +}; + +zone "fetch.tld" { + type primary; + file "fetch.tld.db"; +}; + +zone "targetns" { + type primary; + file "targetns.db"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns6/no-edns-version.tld.db b/bin/tests/system/resolver/ns6/no-edns-version.tld.db new file mode 100644 index 0000000..9ab654d --- /dev/null +++ b/bin/tests/system/resolver/ns6/no-edns-version.tld.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/redirect.com.db b/bin/tests/system/resolver/ns6/redirect.com.db new file mode 100644 index 0000000..f79f6dd --- /dev/null +++ b/bin/tests/system/resolver/ns6/redirect.com.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 + +; 10.53.1.* are non-responsive IP addresses +$GENERATE 1-100 ns$.fake IN A 10.53.1.$ +$GENERATE 101-200 ns$.fake IN A 10.53.1.${-100} +$GENERATE 201-300 ns$.fake IN A 10.53.1.${-200} +$GENERATE 301-400 ns$.fake IN A 10.53.1.${-300} +$GENERATE 401-500 ns$.fake IN A 10.53.1.${-400} +$GENERATE 501-600 ns$.fake IN A 10.53.1.${-500} +$GENERATE 601-700 ns$.fake IN A 10.53.1.${-600} +$GENERATE 701-800 ns$.fake IN A 10.53.1.${-700} +$GENERATE 801-900 ns$.fake IN A 10.53.1.${-800} +$GENERATE 901-1000 ns$.fake IN A 10.53.1.${-900} diff --git a/bin/tests/system/resolver/ns6/root.db b/bin/tests/system/resolver/ns6/root.db new file mode 100644 index 0000000..096381c --- /dev/null +++ b/bin/tests/system/resolver/ns6/root.db @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.6 +a.root-servers.nil. AAAA fd92:7065:b8e:ffff::6 +moves. NS ns.server. +server. NS ns7.server. +ns7.server. A 10.53.0.7 +; +; These two delegations are strictly not necessary as the test resolver (ns5) +; doesn't have this zone as its root. They are just done for consistency with +; the delegations in ns4/tld. +; +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 +v4only.net. NS v4.nameserver. +v4.nameserver. A 10.53.0.4 diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db new file mode 100644 index 0000000..4d9496b --- /dev/null +++ b/bin/tests/system/resolver/ns6/targetns.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; In the test for checking how many NS records BIND will follow, this +; zone marks the server as the one to which the NS lookups will be +; directed. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) + NS ns +ns A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/tld1.db b/bin/tests/system/resolver/ns6/tld1.db new file mode 100644 index 0000000..412509b --- /dev/null +++ b/bin/tests/system/resolver/ns6/tld1.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 + +$GENERATE 1-21 sub IN NS sub-ns$.tld2. diff --git a/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in b/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in new file mode 100644 index 0000000..5638090 --- /dev/null +++ b/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 +ns0 IN A 10.53.0.6 +ns1 IN A 10.53.0.6 +ns2 IN A 10.53.0.6 +ns3 IN A 10.53.0.6 +ns4 IN A 10.53.0.6 +ns5 IN A 10.53.0.6 +ns6 IN A 10.53.0.6 +ns7 IN A 10.53.0.6 +ns8 IN A 10.53.0.6 +ns9 IN A 10.53.0.6 +$TTL 1 +@ IN A 10.53.0.6 +www IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns7/all-cnames.db b/bin/tests/system/resolver/ns7/all-cnames.db new file mode 100644 index 0000000..85003ee --- /dev/null +++ b/bin/tests/system/resolver/ns7/all-cnames.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS cname.tld. diff --git a/bin/tests/system/resolver/ns7/edns-version.tld.db b/bin/tests/system/resolver/ns7/edns-version.tld.db new file mode 100644 index 0000000..bcfae40 --- /dev/null +++ b/bin/tests/system/resolver/ns7/edns-version.tld.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.7 diff --git a/bin/tests/system/resolver/ns7/named1.conf.in b/bin/tests/system/resolver/ns7/named1.conf.in new file mode 100644 index 0000000..1d32ae9 --- /dev/null +++ b/bin/tests/system/resolver/ns7/named1.conf.in @@ -0,0 +1,75 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { fd92:7065:b8e:ffff::7; }; + recursion yes; + dnssec-validation yes; + empty-zones-enable yes; + disable-empty-zone 20.172.in-addr.arpa; + /* + * check prefetch disabled + * check zero ttl not returned + */ + prefetch 0; + querylog yes; + edns-udp-size 4096; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "server" { + type primary; + file "server.db"; + allow-update { any; }; +}; + +zone "edns-version.tld" { + type primary; + file "edns-version.tld.db"; +}; + +zone "all-cnames" { + type primary; + file "all-cnames.db"; +}; + +zone "tld2" { + type primary; + file "tld2.db"; +}; + +zone "sub.tld1" { + type primary; + file "sub.tld1.db"; +}; diff --git a/bin/tests/system/resolver/ns7/named2.conf.in b/bin/tests/system/resolver/ns7/named2.conf.in new file mode 100644 index 0000000..1d32ae9 --- /dev/null +++ b/bin/tests/system/resolver/ns7/named2.conf.in @@ -0,0 +1,75 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { fd92:7065:b8e:ffff::7; }; + recursion yes; + dnssec-validation yes; + empty-zones-enable yes; + disable-empty-zone 20.172.in-addr.arpa; + /* + * check prefetch disabled + * check zero ttl not returned + */ + prefetch 0; + querylog yes; + edns-udp-size 4096; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "server" { + type primary; + file "server.db"; + allow-update { any; }; +}; + +zone "edns-version.tld" { + type primary; + file "edns-version.tld.db"; +}; + +zone "all-cnames" { + type primary; + file "all-cnames.db"; +}; + +zone "tld2" { + type primary; + file "tld2.db"; +}; + +zone "sub.tld1" { + type primary; + file "sub.tld1.db"; +}; diff --git a/bin/tests/system/resolver/ns7/root.hint b/bin/tests/system/resolver/ns7/root.hint new file mode 100644 index 0000000..3337bd5 --- /dev/null +++ b/bin/tests/system/resolver/ns7/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns7/server.db.in b/bin/tests/system/resolver/ns7/server.db.in new file mode 100644 index 0000000..7d5169a --- /dev/null +++ b/bin/tests/system/resolver/ns7/server.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. a.root.servers.nil. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns7 +ns7 A 10.53.0.7 +ns A 10.53.0.5 +child NS ns.child +ns.child A 10.53.0.5 diff --git a/bin/tests/system/resolver/ns7/sub.tld1.db b/bin/tests/system/resolver/ns7/sub.tld1.db new file mode 100644 index 0000000..b2d46c6 --- /dev/null +++ b/bin/tests/system/resolver/ns7/sub.tld1.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 + +$GENERATE 1-21 @ IN NS sub-ns$.tld2. + +$GENERATE 1-21 bar IN NS bar-sub-ns$.tld2. diff --git a/bin/tests/system/resolver/ns7/tld2.db b/bin/tests/system/resolver/ns7/tld2.db new file mode 100644 index 0000000..1f31b51 --- /dev/null +++ b/bin/tests/system/resolver/ns7/tld2.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.7 + +$GENERATE 1-21 sub-ns$ IN A 10.53.0.7 +$GENERATE 1-21 bar-sub-ns$ IN A 10.53.0.3 diff --git a/bin/tests/system/resolver/ns9/named.args b/bin/tests/system/resolver/ns9/named.args new file mode 100644 index 0000000..0c66bc0 --- /dev/null +++ b/bin/tests/system/resolver/ns9/named.args @@ -0,0 +1,2 @@ +# this server is IPv6 only +-6 -m record -c named.conf -d 99 -D resolver-ns9 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/resolver/ns9/named.conf.in b/bin/tests/system/resolver/ns9/named.conf.in new file mode 100644 index 0000000..3be31db --- /dev/null +++ b/bin/tests/system/resolver/ns9/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS9 + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { none; }; + listen-on-v6 { fd92:7065:b8e:ffff::9; }; + recursion yes; + dnssec-validation yes; + dual-stack-servers { fd92:7065:b8e:ffff::7; }; + qname-minimization off; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet fd92:7065:b8e:ffff::9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; diff --git a/bin/tests/system/resolver/ns9/named.ipv6-only b/bin/tests/system/resolver/ns9/named.ipv6-only new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/bin/tests/system/resolver/ns9/named.ipv6-only diff --git a/bin/tests/system/resolver/ns9/root.hint b/bin/tests/system/resolver/ns9/root.hint new file mode 100644 index 0000000..f74fbf1 --- /dev/null +++ b/bin/tests/system/resolver/ns9/root.hint @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.6 +a.root-servers.nil. IN AAAA fd92:7065:b8e:ffff::6; diff --git a/bin/tests/system/resolver/setup.sh b/bin/tests/system/resolver/setup.sh new file mode 100644 index 0000000..eeda13b --- /dev/null +++ b/bin/tests/system/resolver/setup.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=../conf.sh +. ../conf.sh + +cp ns4/tld1.db ns4/tld.db +cp ns6/to-be-removed.tld.db.in ns6/to-be-removed.tld.db +cp ns7/server.db.in ns7/server.db + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named1.conf.in ns7/named.conf +copy_setports ns9/named.conf.in ns9/named.conf + +(cd ns6 && $SHELL keygen.sh) diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh new file mode 100755 index 0000000..2232e5b --- /dev/null +++ b/bin/tests/system/resolver/tests.sh @@ -0,0 +1,1022 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +# shellcheck source=../conf.sh +. ../conf.sh + +dig_with_opts() { + "${DIG}" -p "${PORT}" "${@}" +} + +resolve_with_opts() { + "${RESOLVE}" -p "${PORT}" "${@}" +} + +rndccmd() { + "${RNDC}" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "${@}" +} + +status=0 +n=0 + +n=$((n+1)) +echo_i "checking non-cachable NXDOMAIN response handling ($n)" +ret=0 +dig_with_opts +tcp nxdomain.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking non-cachable NXDOMAIN response handling using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 nxdomain.example.net 2> resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: ncache nxdomain" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking that local bound address can be set (Can't query from a denied address) ($n)" + ret=0 + resolve_with_opts -b 10.53.0.8 -t a -s 10.53.0.1 www.example.org 2> resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n+1)) + echo_i "checking that local bound address can be set (Can query from an allowed address) ($n)" + ret=0 + resolve_with_opts -b 10.53.0.1 -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking non-cachable NODATA response handling ($n)" +ret=0 +dig_with_opts +tcp nodata.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking non-cachable NODATA response handling using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 nodata.example.net 2> resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: ncache nxrrset" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking handling of bogus referrals ($n)" +# If the server has the "INSIST(!external)" bug, this query will kill it. +dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking handling of bogus referrals using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.example.com 2> resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "check handling of cname + other data / 1 ($n)" +dig_with_opts +tcp cname1.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } + +n=$((n+1)) +echo_i "check handling of cname + other data / 2 ($n)" +dig_with_opts +tcp cname2.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } + +n=$((n+1)) +echo_i "check that server is still running ($n)" +dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } + +n=$((n+1)) +echo_i "checking answer IPv4 address filtering (deny) ($n)" +ret=0 +dig_with_opts +tcp www.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking answer IPv6 address filtering (deny) ($n)" +ret=0 +dig_with_opts +tcp www.example.net @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking answer IPv4 address filtering (accept) ($n)" +ret=0 +dig_with_opts +tcp www.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking answer IPv4 address filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking answer IPv6 address filtering (accept) ($n)" +ret=0 +dig_with_opts +tcp www.example.org @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking answer IPv6 address filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t aaaa -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.2001:db8:beef::1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking CNAME target filtering (deny) ($n)" +ret=0 +dig_with_opts +tcp badcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking CNAME target filtering (accept) ($n)" +ret=0 +dig_with_opts +tcp goodcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking CNAME target filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 goodcname.example.net > resolve.out.ns1.test${n} || ret=1 + grep "goodcname.example.net..*.goodcname.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 + grep "goodcname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking CNAME target filtering (accept due to subdomain) ($n)" +ret=0 +dig_with_opts +tcp cname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking CNAME target filtering using dns_client (accept due to subdomain) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 cname.sub.example.org > resolve.out.ns1.test${n} || ret=1 + grep "cname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 + grep "ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking DNAME target filtering (deny) ($n)" +ret=0 +dig_with_opts +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking DNAME target filtering (accept) ($n)" +ret=0 +dig_with_opts +tcp foo.gooddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking DNAME target filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 foo.gooddname.example.net > resolve.out.ns1.test${n} || ret=1 + grep "foo.gooddname.example.net..*.gooddname.example.org" resolve.out.ns1.test${n} > /dev/null || ret=1 + grep "foo.gooddname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking DNAME target filtering (accept due to subdomain) ($n)" +ret=0 +dig_with_opts +tcp www.dname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking DNAME target filtering using dns_client (accept due to subdomain) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.dname.sub.example.org > resolve.out.ns1.test${n} || ret=1 + grep "www.dname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 + grep "www.ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "check that the resolver accepts a referral response with a non-empty ANSWER section ($n)" +ret=0 +dig_with_opts @10.53.0.1 foo.glue-in-answer.example.org. A > dig.ns1.out.${n} || ret=1 +grep "status: NOERROR" dig.ns1.out.${n} > /dev/null || ret=1 +grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" +# ns5 is the recusor being tested. ns4 holds the sourcens zone containing +# names with varying numbers of NS records pointing to non-existent +# nameservers in the targetns zone on ns6. +ret=0 +rndccmd 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test +count_fetches () { + actual=$(nextpartpeek ns5/named.run | grep -c " fetch: ns.fake${nscount}") + [ "${actual:-0}" -eq "${expected}" ] || return 1 + return 0 +} +for nscount in 1 2 3 4 5 6 7 8 9 10 +do + # Verify number of NS records at source server + dig_with_opts +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} + sourcerecs=$(grep NS dig.ns4.out.${nscount}.${n} | grep -cv ';') + test "${sourcerecs}" -eq "${nscount}" || ret=1 + test "${sourcerecs}" -eq "${nscount}" || echo_i "NS count incorrect for target${nscount}.sourcens" + + # Expected queries = 2 * number of NS records, up to a maximum of 10. + expected=$((nscount*2)) + if [ "$expected" -gt 10 ]; then expected=10; fi + # Count the number of logged fetches + nextpart ns5/named.run > /dev/null + dig_with_opts @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 + retry_quiet 5 count_fetches ns5/named.run $nscount $expected || { + echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"; ret=1; + } +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "RT21594 regression test check setup ($n)" +ret=0 +# Check that "aa" is not being set by the authoritative server. +dig_with_opts +tcp . @10.53.0.4 soa > dig.ns4.out.${n} || ret=1 +grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "RT21594 regression test positive answers ($n)" +ret=0 +# Check that resolver accepts the non-authoritative positive answers. +dig_with_opts +tcp . @10.53.0.5 soa > dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "RT21594 regression test NODATA answers ($n)" +ret=0 +# Check that resolver accepts the non-authoritative nodata answers. +dig_with_opts +tcp . @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "RT21594 regression test NXDOMAIN answers ($n)" +ret=0 +# Check that resolver accepts the non-authoritative positive answers. +dig_with_opts +tcp noexistent @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 +grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" +ret=0 +dig_with_opts +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=1 +grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 +if [ $ret = 1 ]; then echo_i "mx priming failed"; fi +$NSUPDATE << EOF +server 10.53.0.6 ${PORT} +zone example.net +update delete mail.example.net A +update add mail.example.net 0 AAAA ::1 +send +EOF +dig_with_opts +tcp a mail.example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 +grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2 +grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2 +if [ $ret = 2 ]; then echo_i "ncache priming failed"; fi +dig_with_opts +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=3 +grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3 +dig_with_opts +tcp rrsig mail.example.net +norec @10.53.0.7 > dig.ns7.out.${n} || ret=4 +grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4 +grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) + +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking that update a nameservers address has immediate effects ($n)" +ret=0 +dig_with_opts +tcp TXT foo.moves @10.53.0.7 > dig.ns7.foo.${n} || ret=1 +grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 +$NSUPDATE << EOF +server 10.53.0.7 ${PORT} +zone server +update delete ns.server A +update add ns.server 300 A 10.53.0.4 +send +EOF +sleep 1 +dig_with_opts +tcp TXT bar.moves @10.53.0.7 > dig.ns7.bar.${n} || ret=1 +grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; status=1; fi + +n=$((n+1)) +echo_i "checking that update a nameservers glue has immediate effects ($n)" +ret=0 +dig_with_opts +tcp TXT foo.child.server @10.53.0.7 > dig.ns7.foo.${n} || ret=1 +grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 +$NSUPDATE << EOF +server 10.53.0.7 ${PORT} +zone server +update delete ns.child.server A +update add ns.child.server 300 A 10.53.0.4 +send +EOF +sleep 1 +dig_with_opts +tcp TXT bar.child.server @10.53.0.7 > dig.ns7.bar.${n} || ret=1 +grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; status=1; fi + +n=$((n+1)) +echo_i "checking empty RFC 1918 reverse zones ($n)" +ret=0 +# Check that "aa" is being set by the resolver for RFC 1918 zones +# except the one that has been deliberately disabled +dig_with_opts @10.53.0.7 -x 10.1.1.1 > dig.ns4.out.1.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 192.168.1.1 > dig.ns4.out.2.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.16.1.1 > dig.ns4.out.3.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.17.1.1 > dig.ns4.out.4.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.18.1.1 > dig.ns4.out.5.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.19.1.1 > dig.ns4.out.6.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.21.1.1 > dig.ns4.out.7.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.22.1.1 > dig.ns4.out.8.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.23.1.1 > dig.ns4.out.9.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.24.1.1 > dig.ns4.out.11.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.25.1.1 > dig.ns4.out.12.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.26.1.1 > dig.ns4.out.13.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.27.1.1 > dig.ns4.out.14.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.28.1.1 > dig.ns4.out.15.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.29.1.1 > dig.ns4.out.16.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.30.1.1 > dig.ns4.out.17.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.31.1.1 > dig.ns4.out.18.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} > /dev/null || ret=1 +# but this one should NOT be authoritative +dig_with_opts @10.53.0.7 -x 172.20.1.1 > dig.ns4.out.19.${n} || ret=1 +grep 'flags: qr rd ra;' dig.ns4.out.19.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; status=1; fi + +n=$((n+1)) +echo_i "checking that removal of a delegation is honoured ($n)" +ret=0 +dig_with_opts @10.53.0.5 www.to-be-removed.tld A > dig.ns5.prime.${n} +grep "status: NOERROR" dig.ns5.prime.${n} > /dev/null || { ret=1; echo_i "priming failed"; } +cp ns4/tld2.db ns4/tld.db +rndc_reload ns4 10.53.0.4 tld +old= +for i in 0 1 2 3 4 5 6 7 8 9 +do + foo=0 + dig_with_opts @10.53.0.5 ns$i.to-be-removed.tld A > /dev/null + dig_with_opts @10.53.0.5 www.to-be-removed.tld A > dig.ns5.out.${n} + grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || foo=1 + [ $foo = 0 ] && break + $NSUPDATE << EOF +server 10.53.0.6 ${PORT} +zone to-be-removed.tld +update add to-be-removed.tld 100 NS ns${i}.to-be-removed.tld +update delete to-be-removed.tld NS ns${old}.to-be-removed.tld +send +EOF + old=$i + sleep 1 +done +[ $ret = 0 ] && ret=$foo; +if [ $ret != 0 ]; then echo_i "failed"; status=1; fi + +n=$((n+1)) +echo_i "check for improved error message with SOA mismatch ($n)" +ret=0 +dig_with_opts @10.53.0.1 www.sub.broken aaaa > dig.out.ns1.test${n} || ret=1 +grep "not subdomain of zone" ns1/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +copy_setports ns7/named2.conf.in ns7/named.conf +rndccmd 10.53.0.7 reconfig 2>&1 | sed 's/^/ns7 /' | cat_i + +n=$((n+1)) +echo_i "check resolution on the listening port ($n)" +ret=0 +dig_with_opts +tcp +tries=2 +time=5 mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 +grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 +grep "ANSWER: 1" dig.ns7.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check prefetch (${n})" +ret=0 +# read prefetch value from config. +PREFETCH=$(sed -n "s/[[:space:]]*prefetch \([0-9]\).*/\1/p" ns5/named.conf) +dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.1.${n} || ret=1 +ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}) +interval=$((ttl1 - PREFETCH + 1)) +# sleep so we are in prefetch range +sleep ${interval:-0} +# trigger prefetch +dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.2.${n} || ret=1 +ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) +sleep 1 +# check that prefetch occurred +dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.3.${n} || ret=1 +ttl=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}) +test "${ttl:-0}" -gt "${ttl2:-1}" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check prefetch of validated DS's RRSIG TTL is updated (${n})" +ret=0 +dig_with_opts +dnssec @10.53.0.5 ds.example.net ds > dig.out.1.${n} || ret=1 +dsttl1=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.1.${n}) +interval=$((dsttl1 - PREFETCH + 1)) +# sleep so we are in prefetch range +sleep ${interval:-0} +# trigger prefetch +dig_with_opts @10.53.0.5 ds.example.net ds > dig.out.2.${n} || ret=1 +dsttl2=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.2.${n}) +sleep 1 +# check that prefetch occurred +dig_with_opts @10.53.0.5 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1 +dsttl=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.3.${n}) +sigttl=$(awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}) +test "${dsttl:-0}" -gt "${dsttl2:-1}" || ret=1 +test "${sigttl:-0}" -gt "${dsttl2:-1}" || ret=1 +test "${dsttl:-0}" -eq "${sigttl:-1}" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check prefetch disabled (${n})" +ret=0 +dig_with_opts @10.53.0.7 fetch.example.net txt > dig.out.1.${n} || ret=1 +ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}) +interval=$((ttl1 - PREFETCH + 1)) +# sleep so we are in expire range +sleep ${interval:-0} +tmp_ttl=$ttl1 +no_prefetch() { + # fetch record and ensure its ttl is in range 0 < ttl < tmp_ttl. + # since prefetch is disabled, updated ttl must be a lower value than + # the previous one. + dig_with_opts @10.53.0.7 fetch.example.net txt > dig.out.2.${n} || return 1 + ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) + # check that prefetch has not occurred + if [ "$ttl2" -ge "${tmp_ttl}" ]; then + return 1 + fi + tmp_ttl=$ttl2 +} +retry_quiet 3 no_prefetch || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check prefetch qtype * (${n})" +ret=0 +dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.1.${n} || ret=1 +ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n}) +# sleep so we are in prefetch range +sleep "${ttl1:-0}" +# trigger prefetch +dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.2.${n} || ret=1 +ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) +sleep 1 +# check that prefetch occurred; +# note that only one record is prefetched, which is the TXT record in this case, +# because of the order of the records in the cache +dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.3.${n} || ret=1 +ttl3=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}) +test "${ttl3:-0}" -gt "${ttl2:-1}" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that E was logged on EDNS queries in the query log (${n})" +ret=0 +dig_with_opts @10.53.0.5 +edns edns.fetchall.tld any > dig.out.2.${n} || ret=1 +grep "query: edns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null || ret=1 +dig_with_opts @10.53.0.5 +noedns noedns.fetchall.tld any > dig.out.2.${n} || ret=1 +grep "query: noedns.fetchall.tld IN ANY" ns5/named.run > /dev/null || ret=1 +grep "query: noedns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that '-t aaaa' in .digrc does not have unexpected side effects ($n)" +ret=0 +echo "-t aaaa" > .digrc +(HOME="$(pwd)" dig_with_opts @10.53.0.4 . > dig.out.1.${n}) || ret=1 +(HOME="$(pwd)" dig_with_opts @10.53.0.4 . A > dig.out.2.${n}) || ret=1 +(HOME="$(pwd)" dig_with_opts @10.53.0.4 -x 127.0.0.1 > dig.out.3.${n}) || ret=1 +grep ';\..*IN.*AAAA$' dig.out.1.${n} > /dev/null || ret=1 +grep ';\..*IN.*A$' dig.out.2.${n} > /dev/null || ret=1 +grep 'extra type option' dig.out.2.${n} > /dev/null && ret=1 +grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +edns=$($FEATURETEST --edns-version) + +n=$((n+1)) +echo_i "check that EDNS version is logged (${n})" +ret=0 +dig_with_opts @10.53.0.5 +edns edns0.fetchall.tld any > dig.out.2.${n} || ret=1 +grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run > /dev/null || ret=1 +if test "${edns:-0}" != 0; then + dig_with_opts @10.53.0.5 +edns=1 edns1.fetchall.tld any > dig.out.2.${n} || ret=1 + grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run > /dev/null || ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if test "${edns:-0}" != 0; then + n=$((n+1)) + echo_i "check that edns-version is honoured (${n})" + ret=0 + dig_with_opts @10.53.0.5 +edns no-edns-version.tld > dig.out.1.${n} || ret=1 + grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run > /dev/null || ret=1 + dig_with_opts @10.53.0.5 +edns edns-version.tld > dig.out.2.${n} || ret=1 + grep "query: edns-version.tld IN A -E(0)" ns7/named.run > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "check that CNAME nameserver is logged correctly (${n})" +ret=0 +dig_with_opts soa all-cnames @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "skipping nameserver 'cname.tld' because it is a CNAME, while resolving 'all-cnames/SOA'" ns5/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that unexpected opcodes are handled correctly (${n})" +ret=0 +dig_with_opts soa all-cnames @10.53.0.5 +opcode=15 +cd +rec +ad +zflag > dig.out.ns5.test${n} || ret=1 +grep "status: NOTIMP" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 +grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 +grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 +grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 +grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that EDNS client subnet with non-zeroed bits is handled correctly (${n})" +ret=0 +# 0001 (IPv4) 1f (31 significant bits) 00 (0) ffffffff (255.255.255.255) +dig_with_opts soa . @10.53.0.5 +ednsopt=8:00011f00ffffffff > dig.out.ns5.test${n} || ret=1 +grep "status: FORMERR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "; EDNS: version:" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that dig +subnet zeros address bits correctly (${n})" +ret=0 +dig_with_opts soa . @10.53.0.5 +subnet=255.255.255.255/23 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that SOA query returns data for delegation-only apex (${n})" +ret=0 +dig_with_opts soa delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n+1)) + +n=$((n+1)) +echo_i "check that NS query returns data for delegation-only apex (${n})" +ret=0 +dig_with_opts ns delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that A query returns data for delegation-only A apex (${n})" +ret=0 +dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that CDS query returns data for delegation-only apex (${n})" +ret=0 +dig_with_opts cds delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that AAAA query returns data for delegation-only AAAA apex (${n})" +ret=0 +dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n+1)) + +echo_i "check that DNSKEY query returns data for delegation-only apex (${n})" +ret=0 +dig_with_opts dnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that CDNSKEY query returns data for delegation-only apex (${n})" +ret=0 +dig_with_opts cdnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that NXDOMAIN is returned for delegation-only non-apex A data (${n})" +ret=0 +dig_with_opts a a.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDS data (${n})" +ret=0 +dig_with_opts cds cds.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that NXDOMAIN is returned for delegation-only non-apex AAAA data (${n})" +ret=0 +dig_with_opts aaaa aaaa.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n+1)) + +echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDNSKEY data (${n})" +ret=0 +dig_with_opts cdnskey cdnskey.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check zero ttl not returned for learnt non zero ttl records (${n})" +ret=0 +# use prefetch disabled server +dig_with_opts @10.53.0.7 non-zero.example.net txt > dig.out.1.${n} || ret=1 +ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 2 }' dig.out.1.${n}) +# sleep so we are in expire range +sleep "${ttl1:-0}" +# look for ttl = 1, allow for one miss at getting zero ttl +zerotonine="0 1 2 3 4 5 6 7 8 9" +zerotonine="$zerotonine $zerotonine $zerotonine" +for i in $zerotonine $zerotonine $zerotonine $zerotonine +do + dig_with_opts @10.53.0.7 non-zero.example.net txt > dig.out.2.${n} || ret=1 + ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) + test "${ttl2:-1}" -eq 0 && break + test "${ttl2:-1}" -ge "${ttl1:-0}" && break + "${PERL}" -e 'select(undef, undef, undef, 0.05);' +done +test "${ttl2:-1}" -eq 0 && ret=1 +test "${ttl2:-1}" -ge "${ttl1:-0}" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check zero ttl is returned for learnt zero ttl records (${n})" +ret=0 +dig_with_opts @10.53.0.7 zero.example.net txt > dig.out.1.${n} || ret=1 +ttl=$(awk '/"A" "zero" "ttl"/ { print $2 }' dig.out.1.${n}) +test "${ttl:-1}" -eq 0 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +ad (${n})" +ret=0 +dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec > dig.out.$n +grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +dnssec (${n})" +ret=0 +dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec > dig.out.$n +grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that the resolver accepts a reply with empty question section with TC=1 and retries over TCP ($n)" +ret=0 +dig_with_opts @10.53.0.5 truncated.no-questions. a +tries=3 +time=4 > dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null || ret=1 +grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that the resolver rejects a reply with empty question section with TC=0 ($n)" +ret=0 +dig_with_opts @10.53.0.5 not-truncated.no-questions. a +tries=3 +time=4 > dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} > /dev/null && ret=1 +grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null && ret=1 +grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if ${FEATURETEST} --enable-querytrace; then + n=$((n+1)) + echo_i "check that SERVFAIL is returned for an empty question section via TCP ($n)" + ret=0 + nextpart ns5/named.run > /dev/null + # bind to local address so that addresses in log messages are consistent + # between platforms + dig_with_opts @10.53.0.5 -b 10.53.0.5 tcpalso.no-questions. a +tries=2 +timeout=15 > dig.ns5.out.${n} || ret=1 + grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null || ret=1 + check_namedrun() { + nextpartpeek ns5/named.run > nextpart.out.${n} + grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section, accepting it anyway as TC=1' nextpart.out.${n} > /dev/null || return 1 + grep '(tcpalso.no-questions/A): connecting via TCP' nextpart.out.${n} > /dev/null || return 1 + grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section$' nextpart.out.${n} > /dev/null || return 1 + grep '(tcpalso.no-questions/A): nextitem' nextpart.out.${n} > /dev/null || return 1 + return 0 + } + retry_quiet 12 check_namedrun || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking SERVFAIL is returned when all authoritative servers return FORMERR ($n)" +ret=0 +dig_with_opts @10.53.0.5 ns.formerr-to-all. a > dig.ns5.out.${n} || ret=1 +grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking SERVFAIL is not returned if only some authoritative servers return FORMERR ($n)" +ret=0 +dig_with_opts @10.53.0.5 ns.partial-formerr. a > dig.ns5.out.${n} || ret=1 +grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check logged command line ($n)" +ret=0 +grep "running as: .* -m record " ns1/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking NXDOMAIN is returned when querying non existing domain in CH class ($n)" +ret=0 +dig_with_opts @10.53.0.1 id.hostname txt ch > dig.ns1.out.${n} || ret=1 +grep "status: NXDOMAIN" dig.ns1.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that the addition section for HTTPS is populated on initial query to a recursive server ($n)" +ret=0 +dig_with_opts @10.53.0.7 www.example.net https > dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 +grep "flags:[^;]* ra[ ;]" dig.out.ns7.${n} > /dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns7.${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns7.${n} > /dev/null || ret=1 +grep "http-server\.example\.net\..*A.*10\.53\.0\.6" dig.out.ns7.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check HTTPS loop is handled properly ($n)" +ret=0 +dig_with_opts @10.53.0.7 https-loop.example.net https > dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns7.${n} > /dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns7.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check HTTPS -> CNAME loop is handled properly ($n)" +ret=0 +dig_with_opts @10.53.0.7 https-cname-loop.example.net https > dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns7.${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns7.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check HTTPS cname chains are followed ($n)" +ret=0 +dig_with_opts @10.53.0.7 https-cname.example.net https > dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 +grep "ADDITIONAL: 4" dig.out.ns7.${n} > /dev/null || ret=1 +grep 'http-server\.example\.net\..*A.10\.53\.0\.6' dig.out.ns7.${n} > /dev/null || ret=1 +grep 'cname-server\.example\.net\..*CNAME.cname-next\.example\.net\.' dig.out.ns7.${n} > /dev/null || ret=1 +grep 'cname-next\.example\.net\..*CNAME.http-server\.example\.net\.' dig.out.ns7.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check ADB find loops are detected ($n)" +ret=0 +dig_with_opts +tcp +tries=1 +timeout=5 @10.53.0.1 fake.lame.example.org > dig.out.ns1.${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check handling of large referrals to unresponsive name servers ($n)" +ret=0 +dig_with_opts +timeout=15 large-referral.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +# Check the total number of findname() calls triggered by a single query +# for large-referral.example.net/A. +findname_call_count="$(grep -c "large-referral\.example\.net.*FINDNAME" ns1/named.run || true)" +if [ "${findname_call_count}" -gt 1000 ]; then + echo_i "failed: ${findname_call_count} (> 1000) findname() calls detected for large-referral.example.net" + ret=1 +fi +# Check whether the limit of NS RRs processed for any delegation +# encountered was not exceeded. +if grep -Eq "dns_adb_createfind: started (A|AAAA) fetch for name ns21.fake.redirect.com" ns1/named.run; then + echo_i "failed: unexpected address fetch(es) were triggered for ns21.fake.redirect.com" + ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking query resolution for a domain with a valid glueless delegation chain ($n)" +ret=0 +rndccmd 10.53.0.1 flush || ret=1 +dig_with_opts foo.bar.sub.tld1 @10.53.0.1 TXT > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +grep "IN.*TXT.*baz" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that correct namespace is chosen for dual-stack-servers ($n)" +ret=0 +# +# The two priming queries are needed until we fix dual-stack-servers fully +# +dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver A > dig.out.prime1.${n} || ret=1 +dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver AAAA > dig.out.prime2.${n} || ret=1 +dig_with_opts @fd92:7065:b8e:ffff::9 foo.v4only.net A > dig.out.ns9.${n} || ret=1 +grep "status: NOERROR" dig.out.ns9.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check expired TTLs with qtype * (${n})" +ret=0 +dig_with_opts +tcp @10.53.0.5 mixedttl.tld any > dig.out.1.${n} || ret=1 +ttl1=$(awk '$1 == "mixedttl.tld." && $4 == "A" { print $2 + 1 }' dig.out.1.${n}) +# sleep TTL + 1 so that record has expired +sleep "${ttl1:-0}" +dig_with_opts +tcp @10.53.0.5 mixedttl.tld any > dig.out.2.${n} || ret=1 +# check preconditions +grep "ANSWER: 3," dig.out.1.${n} > /dev/null || ret=1 +lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.1.${n} | wc -l) +test ${lines:-1} -ne 0 && ret=1 +# check behaviour (there may be 1 answer on very slow machines) +grep "ANSWER: [12]," dig.out.2.${n} > /dev/null || ret=1 +lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.2.${n} | wc -l) +test ${lines:-1} -ne 0 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi + +n=$((n+1)) +echo_i "check resolver behavior when FORMERR for EDNS options happens (${n})" +ret=0 +msg="resolving options-formerr/A .* server sent FORMERR with echoed DNS COOKIE" +if [ $ret != 0 ]; then echo_i "failed"; fi +nextpart ns5/named.run >/dev/null +dig_with_opts +tcp @10.53.0.5 options-formerr A > dig.out.${n} || ret=1 +grep "status: NOERROR" dig.out.${n} > /dev/null || ret=1 +nextpart ns5/named.run | grep "$msg" > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi + +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/resolver/tests_sh_resolver.py b/bin/tests/system/resolver/tests_sh_resolver.py new file mode 100644 index 0000000..d8de300 --- /dev/null +++ b/bin/tests/system/resolver/tests_sh_resolver.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_resolver(run_tests_sh): + run_tests_sh() |