diff options
Diffstat (limited to 'bin/tests/system/ckdnsrps.sh')
| -rw-r--r-- | bin/tests/system/ckdnsrps.sh | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/bin/tests/system/ckdnsrps.sh b/bin/tests/system/ckdnsrps.sh new file mode 100644 index 0000000..afc405d --- /dev/null +++ b/bin/tests/system/ckdnsrps.sh @@ -0,0 +1,167 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +# Say on stdout whether to test DNSRPS +# and create dnsrps.conf and dnsrps-secondary.conf +# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf +# and differ from dnsrpz.conf which is used by dnsrpzd. + + +. ../conf.sh + +DNSRPS_CMD=../rpz/dnsrps + +AS_NS= +TEST_DNSRPS= +MCONF=dnsrps.conf +SCONF=dnsrps-secondary.conf +USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]" +while getopts "xADM:S:" c; do + case $c in + x) set -x; DEBUG=-x;; + A) AS_NS=yes;; + D) TEST_DNSRPS=yes;; + M) MCONF="$OPTARG";; + S) SCONF="$OPTARG";; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift $(expr $OPTIND - 1 || true) +if [ "$#" -ne 0 ]; then + echo "$USAGE" 1>&2 + exit 1 +fi + +# erase any existing conf files +cat /dev/null > $MCONF +cat /dev/null > $SCONF + +add_conf () { + echo "$*" >>$MCONF + echo "$*" >>$SCONF +} + +if ! $FEATURETEST --enable-dnsrps; then + if [ -n "$TEST_DNSRPS" ]; then + add_conf "## DNSRPS disabled at compile time" + fi + add_conf "#skip" + exit 0 +fi + +if [ -z "$TEST_DNSRPS" ]; then + add_conf "## testing with native RPZ" + add_conf '#skip' + exit 0 +else + add_conf "## testing with DNSRPS" +fi + +if [ ! -x "$DNSRPS_CMD" ]; then + add_conf "## make $DNSRPS_CMD to test DNSRPS" + add_conf '#skip' + exit 0 +fi + +if $DNSRPS_CMD -a >/dev/null; then : +else + add_conf "## DNSRPS provider library is not available" + add_conf '#skip' + exit 0 +fi + +CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf + dnsrpzd-sock ../dnsrpzd.sock + dnsrpzd-rpzf ../dnsrpzd.rpzf + dnsrpzd-args '-dddd -L stdout' + log-level 3" + +PRIMARY="$CMN" +if [ -n "$AS_NS" ]; then + PRIMARY="$PRIMARY + qname-as-ns yes + ip-as-ns yes" +fi + +# write dnsrps settings for primary resolver +cat <<EOF >>$MCONF +$PRIMARY }; +EOF + +# write dnsrps settings for resolvers that should not start dnsrpzd +cat <<EOF >>$SCONF +$CMN + dnsrpzd '' }; # do not start dnsrpzd +EOF + + +# DNSRPS is available. +# The test should fail if the license is bad. +add_conf "dnsrps-enable yes;" + +# Use alt-dnsrpzd-license.conf if it exists +CUR_L=dnsrpzd-license-cur.conf +ALT_L=alt-dnsrpzd-license.conf +# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist +[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf +if [ -s $ALT_L ]; then + SRC_L=$ALT_L + USE_ALT= +else + SRC_L=../rpz/dnsrpzd-license.conf + USE_ALT="## consider installing alt-dnsrpzd-license.conf" +fi +cp $SRC_L $CUR_L + +# parse $CUR_L for the license zone name, primary IP addresses, and optional +# transfer-source IP addresses +eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\ + -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ + -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ + -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ + -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ + -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ + -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ + $CUR_L` +if [ -z "$NAME" ]; then + add_conf "## no DNSRPS tests; no license domain name in $SRC_L" + add_conf '#fail' + exit 0 +fi +if [ -z "$IPV4" ]; then + IPV4=license1.fastrpz.com + TS4= +fi +if [ -z "$IPV6" ]; then + IPV6=license1.fastrpz.com + TS6= +fi + +# This TSIG key is common and NOT a secret +KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1' + +# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems +if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ + | grep -i "^$NAME.*TXT" >/dev/null`; then + exit 0 +fi +if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ + | grep -i "^$NAME.*TXT" >/dev/null`; then + exit 0 +fi + +add_conf "## DNSRPS lacks a valid license via $SRC_L" +[ -z "$USE_ALT" ] || add_conf "$USE_ALT" +add_conf '#fail' |