summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/rrl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--bin/tests/system/rrl/broken.conf.in47
-rw-r--r--bin/tests/system/rrl/clean.sh23
-rw-r--r--bin/tests/system/rrl/ns1/named.conf.in28
-rw-r--r--bin/tests/system/rrl/ns1/root.db27
-rw-r--r--bin/tests/system/rrl/ns2/hints13
-rw-r--r--bin/tests/system/rrl/ns2/named.conf.in65
-rw-r--r--bin/tests/system/rrl/ns2/tld2.db42
-rw-r--r--bin/tests/system/rrl/ns3/hints13
-rw-r--r--bin/tests/system/rrl/ns3/named.conf.in48
-rw-r--r--bin/tests/system/rrl/ns3/tld3.db20
-rw-r--r--bin/tests/system/rrl/ns4/hints13
-rw-r--r--bin/tests/system/rrl/ns4/named.conf.in67
-rw-r--r--bin/tests/system/rrl/ns4/tld4.db45
-rw-r--r--bin/tests/system/rrl/setup.sh22
-rw-r--r--bin/tests/system/rrl/tests.sh290
-rw-r--r--bin/tests/system/rrl/tests_sh_rrl.py18
16 files changed, 781 insertions, 0 deletions
diff --git a/bin/tests/system/rrl/broken.conf.in b/bin/tests/system/rrl/broken.conf.in
new file mode 100644
index 0000000..956593a
--- /dev/null
+++ b/bin/tests/system/rrl/broken.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.5;
+ notify-source 10.53.0.5;
+ transfer-source 10.53.0.5;
+ port @PORT@;
+ pid-file "named.pid";
+ statistics-file "named.stats";
+ listen-on { 10.53.0.5; };
+ listen-on-v6 { none; };
+ notify no;
+ dnssec-validation no;
+
+ rate-limit {
+ responses-per-second 2;
+ all-per-second 50;
+ slip 3;
+ exempt-clients { 10.53.0.7; };
+ log-only yes;
+
+ min-table-size 0;
+ max-table-size 0;
+ };
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+controls {
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
diff --git a/bin/tests/system/rrl/clean.sh b/bin/tests/system/rrl/clean.sh
new file mode 100644
index 0000000..739366a
--- /dev/null
+++ b/bin/tests/system/rrl/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Clean up after rrl tests.
+
+rm -f dig.out* *mdig.out*
+rm -f */named.memstats */named.run */named.stats */log-* */session.key
+rm -f ns3/bl*.db */*.jnl */*.core */*.pid
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f broken.conf
+rm -f broken.out
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/rrl/ns1/named.conf.in b/bin/tests/system/rrl/ns1/named.conf.in
new file mode 100644
index 0000000..e4da6ef
--- /dev/null
+++ b/bin/tests/system/rrl/ns1/named.conf.in
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ session-keyfile "session.key";
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ notify no;
+ recursion yes;
+ dnssec-validation yes;
+};
+
+zone "." {type primary; file "root.db";};
diff --git a/bin/tests/system/rrl/ns1/root.db b/bin/tests/system/rrl/ns1/root.db
new file mode 100644
index 0000000..68265fe
--- /dev/null
+++ b/bin/tests/system/rrl/ns1/root.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 )
+@ NS ns.
+ns. A 10.53.0.1
+. A 10.53.0.1
+
+; limit responses from here
+tld2. NS ns.tld2.
+ns.tld2. A 10.53.0.2
+
+; limit recursion to here
+tld3. NS ns.tld3.
+ns.tld3. A 10.53.0.3
+
+; generate SERVFAIL
+tld4. NS ns.tld3.
diff --git a/bin/tests/system/rrl/ns2/hints b/bin/tests/system/rrl/ns2/hints
new file mode 100644
index 0000000..a1d435e
--- /dev/null
+++ b/bin/tests/system/rrl/ns2/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 0 NS ns1.
+ns1. 0 A 10.53.0.1
diff --git a/bin/tests/system/rrl/ns2/named.conf.in b/bin/tests/system/rrl/ns2/named.conf.in
new file mode 100644
index 0000000..abe4f9c
--- /dev/null
+++ b/bin/tests/system/rrl/ns2/named.conf.in
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ session-keyfile "session.key";
+ pid-file "named.pid";
+ statistics-file "named.stats";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ notify no;
+ recursion yes;
+ dnssec-validation yes;
+
+ rate-limit {
+ responses-per-second 2;
+ all-per-second 50;
+ slip 3;
+ exempt-clients { 10.53.0.7; };
+
+ // small enough to force a table expansion
+ min-table-size 75;
+ };
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+controls {
+ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/*
+ * These log settings have no effect unless "-g" is removed from ../../start.pl
+ */
+logging {
+ channel debug {
+ file "log-debug";
+ print-category yes; print-severity yes; severity debug 10;
+ };
+ channel queries {
+ file "log-queries";
+ print-category yes; print-severity yes; severity info;
+ };
+ category rate-limit { debug; queries; };
+ category queries { debug; queries; };
+};
+
+zone "." { type hint; file "hints"; };
+
+zone "tld2."{ type primary; file "tld2.db"; };
diff --git a/bin/tests/system/rrl/ns2/tld2.db b/bin/tests/system/rrl/ns2/tld2.db
new file mode 100644
index 0000000..a1a832b
--- /dev/null
+++ b/bin/tests/system/rrl/ns2/tld2.db
@@ -0,0 +1,42 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; rate limit response from this zone
+
+$TTL 120
+@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+ NS ns
+ NS .
+ns A 10.53.0.2
+
+; basic rate limiting
+a1 A 192.0.2.1
+
+; wildcards
+*.a2 A 192.0.2.2
+
+; a3 is in tld3
+
+; a4 does not exist to give NXDOMAIN
+
+; a5 for TCP requests
+a5 A 192.0.2.5
+
+; a6 for whitelisted clients
+a6 A 192.0.2.6
+
+; a7 for SERVFAIL
+
+; a8 for NODATA
+a8 A 192.0.2.8
+
+; a9 for all-per-second limit
+$GENERATE 101-180 all$.a9 A 192.0.2.8
diff --git a/bin/tests/system/rrl/ns3/hints b/bin/tests/system/rrl/ns3/hints
new file mode 100644
index 0000000..a1d435e
--- /dev/null
+++ b/bin/tests/system/rrl/ns3/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 0 NS ns1.
+ns1. 0 A 10.53.0.1
diff --git a/bin/tests/system/rrl/ns3/named.conf.in b/bin/tests/system/rrl/ns3/named.conf.in
new file mode 100644
index 0000000..8807f44
--- /dev/null
+++ b/bin/tests/system/rrl/ns3/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ session-keyfile "session.key";
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ notify no;
+ recursion yes;
+ dnssec-validation yes;
+
+ // check that all of the options are parsed without limiting anything
+ rate-limit {
+ responses-per-second 200;
+ referrals-per-second 220;
+ nodata-per-second 230;
+ nxdomains-per-second 240;
+ errors-per-second 250;
+ all-per-second 700;
+ ipv4-prefix-length 24;
+ ipv6-prefix-length 64;
+ qps-scale 10;
+ window 1;
+ max-table-size 1000;
+ log-only no;
+ min-table-size 0;
+ };
+
+};
+
+zone "." { type hint; file "hints"; };
+
+zone "tld3."{ type primary; file "tld3.db"; };
diff --git a/bin/tests/system/rrl/ns3/tld3.db b/bin/tests/system/rrl/ns3/tld3.db
new file mode 100644
index 0000000..a534c6e
--- /dev/null
+++ b/bin/tests/system/rrl/ns3/tld3.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; rate limit response from this zone
+
+$TTL 120
+@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 )
+ NS ns
+ NS .
+ns A 10.53.0.3
+
+*.a3 A 192.0.3.3
diff --git a/bin/tests/system/rrl/ns4/hints b/bin/tests/system/rrl/ns4/hints
new file mode 100644
index 0000000..a1d435e
--- /dev/null
+++ b/bin/tests/system/rrl/ns4/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 0 NS ns1.
+ns1. 0 A 10.53.0.1
diff --git a/bin/tests/system/rrl/ns4/named.conf.in b/bin/tests/system/rrl/ns4/named.conf.in
new file mode 100644
index 0000000..3cd598e
--- /dev/null
+++ b/bin/tests/system/rrl/ns4/named.conf.in
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port @PORT@;
+ session-keyfile "session.key";
+ pid-file "named.pid";
+ statistics-file "named.stats";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+ notify no;
+ recursion yes;
+ dnssec-validation yes;
+ max-udp-size 4096;
+
+ rate-limit {
+ responses-per-second 2;
+ all-per-second 50;
+ slip 3;
+ exempt-clients { 10.53.0.7; };
+ log-only yes;
+
+ // small enough to force a table expansion
+ min-table-size 75;
+ };
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+controls {
+ inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/*
+ * These log settings have no effect unless "-g" is removed from ../../start.pl
+ */
+logging {
+ channel debug {
+ file "log-debug";
+ print-category yes; print-severity yes; severity debug 10;
+ };
+ channel queries {
+ file "log-queries";
+ print-category yes; print-severity yes; severity info;
+ };
+ category rate-limit { debug; queries; };
+ category queries { debug; queries; };
+};
+
+zone "." { type hint; file "hints"; };
+
+zone "tld4."{ type primary; file "tld4.db"; };
diff --git a/bin/tests/system/rrl/ns4/tld4.db b/bin/tests/system/rrl/ns4/tld4.db
new file mode 100644
index 0000000..a7bc319
--- /dev/null
+++ b/bin/tests/system/rrl/ns4/tld4.db
@@ -0,0 +1,45 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; rate limit response from this zone
+
+$TTL 120
+@ SOA tld4. hostmaster.ns.tld4. ( 1 3600 1200 604800 60 )
+ NS ns
+ NS .
+ns A 10.53.0.2
+
+; basic rate limiting
+a1 A 192.0.2.1
+
+; wildcards
+*.a2 A 192.0.2.2
+
+; a3 is in tld3
+
+; a4 does not exist to give NXDOMAIN
+
+; a5 for TCP requests
+a5 A 192.0.2.5
+
+; a6 for whitelisted clients
+a6 A 192.0.2.6
+
+; a7 for SERVFAIL
+
+; a8 for NODATA
+a8 A 192.0.2.8
+
+; a9 for all-per-second limit
+$GENERATE 101-180 all$.a9 A 192.0.2.8
+
+; oversized TXT record
+$GENERATE 1-100 big 1 TXT "txt$"
diff --git a/bin/tests/system/rrl/setup.sh b/bin/tests/system/rrl/setup.sh
new file mode 100644
index 0000000..752b02c
--- /dev/null
+++ b/bin/tests/system/rrl/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+$SHELL clean.sh
+
+copy_setports broken.conf.in broken.conf
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
diff --git a/bin/tests/system/rrl/tests.sh b/bin/tests/system/rrl/tests.sh
new file mode 100644
index 0000000..9465b93
--- /dev/null
+++ b/bin/tests/system/rrl/tests.sh
@@ -0,0 +1,290 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# test response rate limiting
+
+. ../conf.sh
+
+RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
+
+#set -x
+
+ns1=10.53.0.1 # root, defining the others
+ns2=10.53.0.2 # test server
+ns3=10.53.0.3 # secondary test server
+ns4=10.53.0.4 # log-only test server
+ns7=10.53.0.7 # whitelisted client
+
+USAGE="$0: [-x]"
+while getopts "x" c; do
+ case $c in
+ x) set -x;;
+ *) echo "$USAGE" 1>&2; exit 1;;
+ esac
+done
+shift $((OPTIND - 1))
+if test "$#" -ne 0; then
+ echo "$USAGE" 1>&2
+ exit 1
+fi
+# really quit on control-C
+trap 'exit 1' 1 2 15
+
+
+ret=0
+setret () {
+ ret=1
+ echo_i "$*"
+}
+
+
+# Wait until soon after the start of a second to make results consistent.
+# The start of a second credits a rate limit.
+# This would be far easier in C or by assuming a modern version of perl.
+sec_start () {
+ START=$(date)
+ while true; do
+ NOW=$(date)
+ if test "$START" != "$NOW"; then
+ return
+ fi
+ $PERL -e 'select(undef, undef, undef, 0.05)' || true
+ done
+}
+
+
+# turn off ${HOME}/.digrc
+HOME=/dev/null; export HOME
+
+# $1=number of tests $2=target domain $3=dig options
+QNUM=1
+burst () {
+ BURST_LIMIT=$1; shift
+ BURST_DOM_BASE="$1"; shift
+
+ XCNT=$CNT
+ CNT='XXX'
+ eval FILENAME="mdig.out-$BURST_DOM_BASE"
+ CNT=$XCNT
+
+ DOMS=""
+ CNTS=$($PERL -e 'for ( $i = 0; $i < '$BURST_LIMIT'; $i++) { printf "%03d\n", '$QNUM' + $i; }')
+ for CNT in $CNTS
+ do
+ eval BURST_DOM="$BURST_DOM_BASE"
+ DOMS="$DOMS $BURST_DOM"
+ done
+ ARGS="+burst +nocookie +continue +time=1 +tries=1 -p ${PORT} $* @$ns2 $DOMS"
+ $MDIG $ARGS 2>&1 | \
+ tee -a full-$FILENAME | \
+ sed -n -e '/^;; AUTHORITY/,/^$/d' \
+ -e '/^;; ADDITIONAL/,/^$/d' \
+ -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \
+ -e 's/;; flags.* tc .*/TC/p' \
+ -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \
+ -e 's/;; .* status: NOERROR.*/NOERROR/p' \
+ -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \
+ -e 's/response failed with timed out.*/drop/p' \
+ -e 's/;; communications error to.*/drop/p' >> $FILENAME &
+ QNUM=$((QNUM + BURST_LIMIT))
+}
+
+# compare integers $1 and $2; ensure the difference is no more than $3
+range () {
+ $PERL -e 'if (abs(int($ARGV[0]) - int($ARGV[1])) > int($ARGV[2])) { exit(1) }' $1 $2 $3
+}
+
+# $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop
+# $6=NXDOMAIN $7=SERVFAIL or other errors
+ck_result() {
+ # wait to the background mdig calls to complete.
+ wait
+ BAD=no
+ ADDRS=$(grep -E "^$2$" mdig.out-$1 2>/dev/null | wc -l)
+ # count simple truncated and truncated NXDOMAIN as TC
+ TC=$(grep -E "^TC|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l)
+ DROP=$(grep -E "^drop$" mdig.out-$1 2>/dev/null | wc -l)
+ # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN
+ NXDOMAIN=$(grep -E "^NXDOMAIN|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l)
+ SERVFAIL=$(grep -E "^SERVFAIL$" mdig.out-$1 2>/dev/null | wc -l)
+ NOERROR=$(grep -E "^NOERROR$" mdig.out-$1 2>/dev/null | wc -l)
+
+ range $ADDRS "$3" 1 ||
+ setret "$ADDRS instead of $3 '$2' responses for $1" &&
+ BAD=yes
+
+ range $TC "$4" 1 ||
+ setret "$TC instead of $4 truncation responses for $1" &&
+ BAD=yes
+
+ range $DROP "$5" 1 ||
+ setret "$DROP instead of $5 dropped responses for $1" &&
+ BAD=yes
+
+ range $NXDOMAIN "$6" 1 ||
+ setret "$NXDOMAIN instead of $6 NXDOMAIN responses for $1" &&
+ BAD=yes
+
+ range $SERVFAIL "$7" 1 ||
+ setret "$SERVFAIL instead of $7 error responses for $1" &&
+ BAD=yes
+
+ range $NOERROR "$8" 1 ||
+ setret "$NOERROR instead of $8 NOERROR responses for $1" &&
+ BAD=yes
+
+ if test -z "$BAD"; then
+ rm -f mdig.out-$1
+ fi
+}
+
+
+ckstats () {
+ LABEL="$1"; shift
+ TYPE="$1"; shift
+ EXPECTED="$1"; shift
+ C=$(cat ns2/named.stats |
+ sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" |
+ tail -1)
+ C=$((C))
+
+ range "$C" $EXPECTED 1 ||
+ setret "wrong $LABEL $TYPE statistics of $C instead of $EXPECTED"
+}
+
+
+#########
+sec_start
+
+# Tests of referrals to "." must be done before the hints are loaded.
+burst 5 a1.tld3 +norec
+# basic rate limiting
+burst 3 a1.tld2
+# delay allows an additional response.
+sleep 1
+burst 10 a1.tld2
+# Request 30 different qnames to try a wildcard.
+burst 30 'y.x$CNT.a2.tld2'
+
+# IP TC drop NXDOMAIN SERVFAIL NOERROR
+# referrals to "."
+ck_result a1.tld3 x 0 1 2 0 0 2
+# check 13 results including 1 second delay that allows an additional response
+ck_result a1.tld2 192.0.2.1 3 4 6 0 0 8
+
+# Check the wildcard answers.
+# The zone origin name of the 30 requests is counted.
+ck_result 'y.x*.a2.tld2' 192.0.2.2 2 10 18 0 0 12
+
+#########
+sec_start
+
+burst 10 'x.a3.tld3'
+burst 10 'y$CNT.a3.tld3'
+burst 10 'z$CNT.a4.tld2'
+
+# 10 identical recursive responses are limited
+ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 5
+
+# 10 different recursive responses are not limited
+ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 10
+
+# 10 different NXDOMAIN responses are limited based on the parent name.
+# We count 13 responses because we count truncated NXDOMAIN responses
+# as both truncated and NXDOMAIN.
+ck_result 'z*.a4.tld2' x 0 3 5 5 0 0
+
+$RNDCCMD $ns2 stats
+ckstats first dropped 36
+ckstats first truncated 21
+
+
+#########
+sec_start
+
+burst 10 a5.tld2 +tcp
+burst 10 a6.tld2 -b $ns7
+burst 10 a7.tld4
+burst 2 a8.tld2 -t AAAA
+burst 2 a8.tld2 -t TXT
+burst 2 a8.tld2 -t SPF
+
+# IP TC drop NXDOMAIN SERVFAIL NOERROR
+# TCP responses are not rate limited
+ck_result a5.tld2 192.0.2.5 10 0 0 0 0 10
+
+# whitelisted client is not rate limited
+ck_result a6.tld2 192.0.2.6 10 0 0 0 0 10
+
+# Errors such as SERVFAIL are rate limited.
+ck_result a7.tld4 x 0 0 8 0 2 0
+
+# NODATA responses are counted as the same regardless of qtype.
+ck_result a8.tld2 x 0 2 2 0 0 4
+
+$RNDCCMD $ns2 stats
+ckstats second dropped 46
+ckstats second truncated 23
+
+
+#########
+sec_start
+
+# IP TC drop NXDOMAIN SERVFAIL NOERROR
+# all-per-second
+# The qnames are all unique but the client IP address is constant.
+QNUM=101
+burst 60 'all$CNT.a9.tld2'
+
+ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 50
+
+$RNDCCMD $ns2 stats
+ckstats final dropped 56
+ckstats final truncated 23
+
+#########
+sec_start
+
+DIGOPTS="+nocookie +nosearch +time=1 +tries=1 +ignore -p ${PORT}"
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+
+# regression test for GL #2839
+DIGOPTS="+bufsize=4096 +ignore -p ${PORT}"
+$DIG $DIGOPTS @$ns4 TXT big.tld4 > /dev/null 2>&1
+
+grep "would limit" ns4/named.run >/dev/null 2>&1 ||
+setret "\"would limit\" not found in log file."
+
+$NAMED -D rrl-ns5 -gc broken.conf > broken.out 2>&1 &
+sleep 2
+grep "min-table-size 1" broken.out > /dev/null || setret "min-table-size 0 was not changed to 1"
+
+if [ -f named.pid ]; then
+ kill $(cat named.pid)
+ setret "named should not have started, but did"
+fi
+
+echo_i "exit status: $ret"
+[ $ret -eq 0 ] || exit 1
diff --git a/bin/tests/system/rrl/tests_sh_rrl.py b/bin/tests/system/rrl/tests_sh_rrl.py
new file mode 100644
index 0000000..05b43a6
--- /dev/null
+++ b/bin/tests/system/rrl/tests_sh_rrl.py
@@ -0,0 +1,18 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest_custom_markers
+
+
+# The rrl is known to be quite unstable. GL #172
+@pytest_custom_markers.flaky(max_runs=2)
+def test_rrl(run_tests_sh):
+ run_tests_sh()