diff options
Diffstat (limited to '')
-rw-r--r-- | bin/tests/system/rrl/broken.conf.in | 47 | ||||
-rw-r--r-- | bin/tests/system/rrl/clean.sh | 23 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns1/named.conf.in | 28 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns1/root.db | 27 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns2/hints | 13 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns2/named.conf.in | 65 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns2/tld2.db | 42 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns3/hints | 13 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns3/named.conf.in | 48 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns3/tld3.db | 20 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns4/hints | 13 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns4/named.conf.in | 67 | ||||
-rw-r--r-- | bin/tests/system/rrl/ns4/tld4.db | 45 | ||||
-rw-r--r-- | bin/tests/system/rrl/setup.sh | 22 | ||||
-rw-r--r-- | bin/tests/system/rrl/tests.sh | 290 | ||||
-rw-r--r-- | bin/tests/system/rrl/tests_sh_rrl.py | 18 |
16 files changed, 781 insertions, 0 deletions
diff --git a/bin/tests/system/rrl/broken.conf.in b/bin/tests/system/rrl/broken.conf.in new file mode 100644 index 0000000..956593a --- /dev/null +++ b/bin/tests/system/rrl/broken.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + notify no; + dnssec-validation no; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + log-only yes; + + min-table-size 0; + max-table-size 0; + }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + diff --git a/bin/tests/system/rrl/clean.sh b/bin/tests/system/rrl/clean.sh new file mode 100644 index 0000000..739366a --- /dev/null +++ b/bin/tests/system/rrl/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Clean up after rrl tests. + +rm -f dig.out* *mdig.out* +rm -f */named.memstats */named.run */named.stats */log-* */session.key +rm -f ns3/bl*.db */*.jnl */*.core */*.pid +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f broken.conf +rm -f broken.out +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/rrl/ns1/named.conf.in b/bin/tests/system/rrl/ns1/named.conf.in new file mode 100644 index 0000000..e4da6ef --- /dev/null +++ b/bin/tests/system/rrl/ns1/named.conf.in @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; + recursion yes; + dnssec-validation yes; +}; + +zone "." {type primary; file "root.db";}; diff --git a/bin/tests/system/rrl/ns1/root.db b/bin/tests/system/rrl/ns1/root.db new file mode 100644 index 0000000..68265fe --- /dev/null +++ b/bin/tests/system/rrl/ns1/root.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) +@ NS ns. +ns. A 10.53.0.1 +. A 10.53.0.1 + +; limit responses from here +tld2. NS ns.tld2. +ns.tld2. A 10.53.0.2 + +; limit recursion to here +tld3. NS ns.tld3. +ns.tld3. A 10.53.0.3 + +; generate SERVFAIL +tld4. NS ns.tld3. diff --git a/bin/tests/system/rrl/ns2/hints b/bin/tests/system/rrl/ns2/hints new file mode 100644 index 0000000..a1d435e --- /dev/null +++ b/bin/tests/system/rrl/ns2/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 diff --git a/bin/tests/system/rrl/ns2/named.conf.in b/bin/tests/system/rrl/ns2/named.conf.in new file mode 100644 index 0000000..abe4f9c --- /dev/null +++ b/bin/tests/system/rrl/ns2/named.conf.in @@ -0,0 +1,65 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + recursion yes; + dnssec-validation yes; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + + // small enough to force a table expansion + min-table-size 75; + }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* + * These log settings have no effect unless "-g" is removed from ../../start.pl + */ +logging { + channel debug { + file "log-debug"; + print-category yes; print-severity yes; severity debug 10; + }; + channel queries { + file "log-queries"; + print-category yes; print-severity yes; severity info; + }; + category rate-limit { debug; queries; }; + category queries { debug; queries; }; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld2."{ type primary; file "tld2.db"; }; diff --git a/bin/tests/system/rrl/ns2/tld2.db b/bin/tests/system/rrl/ns2/tld2.db new file mode 100644 index 0000000..a1a832b --- /dev/null +++ b/bin/tests/system/rrl/ns2/tld2.db @@ -0,0 +1,42 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; rate limit response from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.2 + +; basic rate limiting +a1 A 192.0.2.1 + +; wildcards +*.a2 A 192.0.2.2 + +; a3 is in tld3 + +; a4 does not exist to give NXDOMAIN + +; a5 for TCP requests +a5 A 192.0.2.5 + +; a6 for whitelisted clients +a6 A 192.0.2.6 + +; a7 for SERVFAIL + +; a8 for NODATA +a8 A 192.0.2.8 + +; a9 for all-per-second limit +$GENERATE 101-180 all$.a9 A 192.0.2.8 diff --git a/bin/tests/system/rrl/ns3/hints b/bin/tests/system/rrl/ns3/hints new file mode 100644 index 0000000..a1d435e --- /dev/null +++ b/bin/tests/system/rrl/ns3/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 diff --git a/bin/tests/system/rrl/ns3/named.conf.in b/bin/tests/system/rrl/ns3/named.conf.in new file mode 100644 index 0000000..8807f44 --- /dev/null +++ b/bin/tests/system/rrl/ns3/named.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + notify no; + recursion yes; + dnssec-validation yes; + + // check that all of the options are parsed without limiting anything + rate-limit { + responses-per-second 200; + referrals-per-second 220; + nodata-per-second 230; + nxdomains-per-second 240; + errors-per-second 250; + all-per-second 700; + ipv4-prefix-length 24; + ipv6-prefix-length 64; + qps-scale 10; + window 1; + max-table-size 1000; + log-only no; + min-table-size 0; + }; + +}; + +zone "." { type hint; file "hints"; }; + +zone "tld3."{ type primary; file "tld3.db"; }; diff --git a/bin/tests/system/rrl/ns3/tld3.db b/bin/tests/system/rrl/ns3/tld3.db new file mode 100644 index 0000000..a534c6e --- /dev/null +++ b/bin/tests/system/rrl/ns3/tld3.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; rate limit response from this zone + +$TTL 120 +@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.3 + +*.a3 A 192.0.3.3 diff --git a/bin/tests/system/rrl/ns4/hints b/bin/tests/system/rrl/ns4/hints new file mode 100644 index 0000000..a1d435e --- /dev/null +++ b/bin/tests/system/rrl/ns4/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 diff --git a/bin/tests/system/rrl/ns4/named.conf.in b/bin/tests/system/rrl/ns4/named.conf.in new file mode 100644 index 0000000..3cd598e --- /dev/null +++ b/bin/tests/system/rrl/ns4/named.conf.in @@ -0,0 +1,67 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + notify no; + recursion yes; + dnssec-validation yes; + max-udp-size 4096; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + log-only yes; + + // small enough to force a table expansion + min-table-size 75; + }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* + * These log settings have no effect unless "-g" is removed from ../../start.pl + */ +logging { + channel debug { + file "log-debug"; + print-category yes; print-severity yes; severity debug 10; + }; + channel queries { + file "log-queries"; + print-category yes; print-severity yes; severity info; + }; + category rate-limit { debug; queries; }; + category queries { debug; queries; }; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld4."{ type primary; file "tld4.db"; }; diff --git a/bin/tests/system/rrl/ns4/tld4.db b/bin/tests/system/rrl/ns4/tld4.db new file mode 100644 index 0000000..a7bc319 --- /dev/null +++ b/bin/tests/system/rrl/ns4/tld4.db @@ -0,0 +1,45 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; rate limit response from this zone + +$TTL 120 +@ SOA tld4. hostmaster.ns.tld4. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.2 + +; basic rate limiting +a1 A 192.0.2.1 + +; wildcards +*.a2 A 192.0.2.2 + +; a3 is in tld3 + +; a4 does not exist to give NXDOMAIN + +; a5 for TCP requests +a5 A 192.0.2.5 + +; a6 for whitelisted clients +a6 A 192.0.2.6 + +; a7 for SERVFAIL + +; a8 for NODATA +a8 A 192.0.2.8 + +; a9 for all-per-second limit +$GENERATE 101-180 all$.a9 A 192.0.2.8 + +; oversized TXT record +$GENERATE 1-100 big 1 TXT "txt$" diff --git a/bin/tests/system/rrl/setup.sh b/bin/tests/system/rrl/setup.sh new file mode 100644 index 0000000..752b02c --- /dev/null +++ b/bin/tests/system/rrl/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +$SHELL clean.sh + +copy_setports broken.conf.in broken.conf +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf diff --git a/bin/tests/system/rrl/tests.sh b/bin/tests/system/rrl/tests.sh new file mode 100644 index 0000000..9465b93 --- /dev/null +++ b/bin/tests/system/rrl/tests.sh @@ -0,0 +1,290 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +# test response rate limiting + +. ../conf.sh + +RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" + +#set -x + +ns1=10.53.0.1 # root, defining the others +ns2=10.53.0.2 # test server +ns3=10.53.0.3 # secondary test server +ns4=10.53.0.4 # log-only test server +ns7=10.53.0.7 # whitelisted client + +USAGE="$0: [-x]" +while getopts "x" c; do + case $c in + x) set -x;; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift $((OPTIND - 1)) +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi +# really quit on control-C +trap 'exit 1' 1 2 15 + + +ret=0 +setret () { + ret=1 + echo_i "$*" +} + + +# Wait until soon after the start of a second to make results consistent. +# The start of a second credits a rate limit. +# This would be far easier in C or by assuming a modern version of perl. +sec_start () { + START=$(date) + while true; do + NOW=$(date) + if test "$START" != "$NOW"; then + return + fi + $PERL -e 'select(undef, undef, undef, 0.05)' || true + done +} + + +# turn off ${HOME}/.digrc +HOME=/dev/null; export HOME + +# $1=number of tests $2=target domain $3=dig options +QNUM=1 +burst () { + BURST_LIMIT=$1; shift + BURST_DOM_BASE="$1"; shift + + XCNT=$CNT + CNT='XXX' + eval FILENAME="mdig.out-$BURST_DOM_BASE" + CNT=$XCNT + + DOMS="" + CNTS=$($PERL -e 'for ( $i = 0; $i < '$BURST_LIMIT'; $i++) { printf "%03d\n", '$QNUM' + $i; }') + for CNT in $CNTS + do + eval BURST_DOM="$BURST_DOM_BASE" + DOMS="$DOMS $BURST_DOM" + done + ARGS="+burst +nocookie +continue +time=1 +tries=1 -p ${PORT} $* @$ns2 $DOMS" + $MDIG $ARGS 2>&1 | \ + tee -a full-$FILENAME | \ + sed -n -e '/^;; AUTHORITY/,/^$/d' \ + -e '/^;; ADDITIONAL/,/^$/d' \ + -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ + -e 's/;; flags.* tc .*/TC/p' \ + -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ + -e 's/;; .* status: NOERROR.*/NOERROR/p' \ + -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ + -e 's/response failed with timed out.*/drop/p' \ + -e 's/;; communications error to.*/drop/p' >> $FILENAME & + QNUM=$((QNUM + BURST_LIMIT)) +} + +# compare integers $1 and $2; ensure the difference is no more than $3 +range () { + $PERL -e 'if (abs(int($ARGV[0]) - int($ARGV[1])) > int($ARGV[2])) { exit(1) }' $1 $2 $3 +} + +# $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop +# $6=NXDOMAIN $7=SERVFAIL or other errors +ck_result() { + # wait to the background mdig calls to complete. + wait + BAD=no + ADDRS=$(grep -E "^$2$" mdig.out-$1 2>/dev/null | wc -l) + # count simple truncated and truncated NXDOMAIN as TC + TC=$(grep -E "^TC|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l) + DROP=$(grep -E "^drop$" mdig.out-$1 2>/dev/null | wc -l) + # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN + NXDOMAIN=$(grep -E "^NXDOMAIN|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l) + SERVFAIL=$(grep -E "^SERVFAIL$" mdig.out-$1 2>/dev/null | wc -l) + NOERROR=$(grep -E "^NOERROR$" mdig.out-$1 2>/dev/null | wc -l) + + range $ADDRS "$3" 1 || + setret "$ADDRS instead of $3 '$2' responses for $1" && + BAD=yes + + range $TC "$4" 1 || + setret "$TC instead of $4 truncation responses for $1" && + BAD=yes + + range $DROP "$5" 1 || + setret "$DROP instead of $5 dropped responses for $1" && + BAD=yes + + range $NXDOMAIN "$6" 1 || + setret "$NXDOMAIN instead of $6 NXDOMAIN responses for $1" && + BAD=yes + + range $SERVFAIL "$7" 1 || + setret "$SERVFAIL instead of $7 error responses for $1" && + BAD=yes + + range $NOERROR "$8" 1 || + setret "$NOERROR instead of $8 NOERROR responses for $1" && + BAD=yes + + if test -z "$BAD"; then + rm -f mdig.out-$1 + fi +} + + +ckstats () { + LABEL="$1"; shift + TYPE="$1"; shift + EXPECTED="$1"; shift + C=$(cat ns2/named.stats | + sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" | + tail -1) + C=$((C)) + + range "$C" $EXPECTED 1 || + setret "wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" +} + + +######### +sec_start + +# Tests of referrals to "." must be done before the hints are loaded. +burst 5 a1.tld3 +norec +# basic rate limiting +burst 3 a1.tld2 +# delay allows an additional response. +sleep 1 +burst 10 a1.tld2 +# Request 30 different qnames to try a wildcard. +burst 30 'y.x$CNT.a2.tld2' + +# IP TC drop NXDOMAIN SERVFAIL NOERROR +# referrals to "." +ck_result a1.tld3 x 0 1 2 0 0 2 +# check 13 results including 1 second delay that allows an additional response +ck_result a1.tld2 192.0.2.1 3 4 6 0 0 8 + +# Check the wildcard answers. +# The zone origin name of the 30 requests is counted. +ck_result 'y.x*.a2.tld2' 192.0.2.2 2 10 18 0 0 12 + +######### +sec_start + +burst 10 'x.a3.tld3' +burst 10 'y$CNT.a3.tld3' +burst 10 'z$CNT.a4.tld2' + +# 10 identical recursive responses are limited +ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 5 + +# 10 different recursive responses are not limited +ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 10 + +# 10 different NXDOMAIN responses are limited based on the parent name. +# We count 13 responses because we count truncated NXDOMAIN responses +# as both truncated and NXDOMAIN. +ck_result 'z*.a4.tld2' x 0 3 5 5 0 0 + +$RNDCCMD $ns2 stats +ckstats first dropped 36 +ckstats first truncated 21 + + +######### +sec_start + +burst 10 a5.tld2 +tcp +burst 10 a6.tld2 -b $ns7 +burst 10 a7.tld4 +burst 2 a8.tld2 -t AAAA +burst 2 a8.tld2 -t TXT +burst 2 a8.tld2 -t SPF + +# IP TC drop NXDOMAIN SERVFAIL NOERROR +# TCP responses are not rate limited +ck_result a5.tld2 192.0.2.5 10 0 0 0 0 10 + +# whitelisted client is not rate limited +ck_result a6.tld2 192.0.2.6 10 0 0 0 0 10 + +# Errors such as SERVFAIL are rate limited. +ck_result a7.tld4 x 0 0 8 0 2 0 + +# NODATA responses are counted as the same regardless of qtype. +ck_result a8.tld2 x 0 2 2 0 0 4 + +$RNDCCMD $ns2 stats +ckstats second dropped 46 +ckstats second truncated 23 + + +######### +sec_start + +# IP TC drop NXDOMAIN SERVFAIL NOERROR +# all-per-second +# The qnames are all unique but the client IP address is constant. +QNUM=101 +burst 60 'all$CNT.a9.tld2' + +ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 50 + +$RNDCCMD $ns2 stats +ckstats final dropped 56 +ckstats final truncated 23 + +######### +sec_start + +DIGOPTS="+nocookie +nosearch +time=1 +tries=1 +ignore -p ${PORT}" +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 + +# regression test for GL #2839 +DIGOPTS="+bufsize=4096 +ignore -p ${PORT}" +$DIG $DIGOPTS @$ns4 TXT big.tld4 > /dev/null 2>&1 + +grep "would limit" ns4/named.run >/dev/null 2>&1 || +setret "\"would limit\" not found in log file." + +$NAMED -D rrl-ns5 -gc broken.conf > broken.out 2>&1 & +sleep 2 +grep "min-table-size 1" broken.out > /dev/null || setret "min-table-size 0 was not changed to 1" + +if [ -f named.pid ]; then + kill $(cat named.pid) + setret "named should not have started, but did" +fi + +echo_i "exit status: $ret" +[ $ret -eq 0 ] || exit 1 diff --git a/bin/tests/system/rrl/tests_sh_rrl.py b/bin/tests/system/rrl/tests_sh_rrl.py new file mode 100644 index 0000000..05b43a6 --- /dev/null +++ b/bin/tests/system/rrl/tests_sh_rrl.py @@ -0,0 +1,18 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import pytest_custom_markers + + +# The rrl is known to be quite unstable. GL #172 +@pytest_custom_markers.flaky(max_runs=2) +def test_rrl(run_tests_sh): + run_tests_sh() |