diff options
Diffstat (limited to '')
19 files changed, 859 insertions, 0 deletions
diff --git a/bin/tests/system/wildcard/clean.sh b/bin/tests/system/wildcard/clean.sh new file mode 100644 index 0000000..c690ade --- /dev/null +++ b/bin/tests/system/wildcard/clean.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/named.run +rm -f ns*/named.conf +rm -f ns1/K* +rm -f ns1/*.db +rm -f ns1/*.signed +rm -f ns1/dsset-* +rm -f ns1/keyset-* +rm -f ns1/trusted.conf +rm -f ns1/private.nsec.conf +rm -f ns1/private.nsec3.conf +rm -f ns1/signer.err +rm -f */named.memstats +rm -f dig.out.ns*.test* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/wildcard/ns1/allwild.db.in b/bin/tests/system/wildcard/ns1/allwild.db.in new file mode 100644 index 0000000..71575c3 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/allwild.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN allwild.test. +allwild.test. 3600 IN SOA . . 0 0 0 0 0 +allwild.test. 3600 NS ns.example.test. +*.allwild.test. 3600 A 192.0.2.1 diff --git a/bin/tests/system/wildcard/ns1/dlv.db.in b/bin/tests/system/wildcard/ns1/dlv.db.in new file mode 100644 index 0000000..6156de6 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/dlv.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400 +@ NS a.root-servers.nil. diff --git a/bin/tests/system/wildcard/ns1/example.db.in b/bin/tests/system/wildcard/ns1/example.db.in new file mode 100644 index 0000000..36616cb --- /dev/null +++ b/bin/tests/system/wildcard/ns1/example.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN example. +example. 3600 IN SOA . . 0 0 0 0 0 +example. 3600 NS ns.example.com. +example. 3600 NS ns.example.net. +*.example. 3600 TXT "this is a wildcard" +*.example. 3600 MX 10 host1.example. +sub.*.example. 3600 TXT "this is not a wildcard" +host1.example. 3600 A 192.0.2.1 +_ssh._tcp.host1.example. 3600 SRV 0 0 22 host1.example. +_ssh._tcp.host2.example. 3600 SRV 0 0 22 host2.example. +subdel.example. 3600 NS ns.example.com. +subdel.example. 3600 NS ns.example.net. + +_foo._udp.*.example. 3600 IN SRV 0 1 9 old-slow-box.example. diff --git a/bin/tests/system/wildcard/ns1/named.conf.in b/bin/tests/system/wildcard/ns1/named.conf.in new file mode 100644 index 0000000..ac02abf --- /dev/null +++ b/bin/tests/system/wildcard/ns1/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "." { type primary; file "root.db.signed"; }; + +/* + * RFC 4592 example zone. + */ +zone "allwild.test" { type primary; file "allwild.db"; }; +zone "example" { type primary; file "example.db"; }; +zone "nsec" { type primary; file "nsec.db.signed"; }; +zone "private.nsec" { type primary; file "private.nsec.db.signed"; }; + +/* + * The contents of nsec3 and private.nsec3 are specially chosen to + * have separate NSEC3 records for the "no qname proof" and the + * "closest encloser proof". + */ +zone "nsec3" { type primary; file "nsec3.db.signed"; }; +zone "private.nsec3" { type primary; file "private.nsec3.db.signed"; }; diff --git a/bin/tests/system/wildcard/ns1/nsec.db.in b/bin/tests/system/wildcard/ns1/nsec.db.in new file mode 100644 index 0000000..8869ab9 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/nsec.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400 +@ NS a.root-servers.nil. +private NS a.root-servers.nil. +*.wild CNAME a. +a.wild A 1.2.3.5 diff --git a/bin/tests/system/wildcard/ns1/nsec3.db.in b/bin/tests/system/wildcard/ns1/nsec3.db.in new file mode 100644 index 0000000..8869ab9 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/nsec3.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400 +@ NS a.root-servers.nil. +private NS a.root-servers.nil. +*.wild CNAME a. +a.wild A 1.2.3.5 diff --git a/bin/tests/system/wildcard/ns1/private.nsec.db.in b/bin/tests/system/wildcard/ns1/private.nsec.db.in new file mode 100644 index 0000000..b7cc222 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/private.nsec.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400 +@ NS a.root-servers.nil. +*.wild CNAME a. +a.wild A 1.2.3.5 diff --git a/bin/tests/system/wildcard/ns1/private.nsec3.db.in b/bin/tests/system/wildcard/ns1/private.nsec3.db.in new file mode 100644 index 0000000..566b3f8 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/private.nsec3.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400 +@ NS a.root-servers.nil. +b A 1.2.3.4 +*.wild CNAME a. +a.wild A 1.2.3.5 diff --git a/bin/tests/system/wildcard/ns1/root.db.in b/bin/tests/system/wildcard/ns1/root.db.in new file mode 100644 index 0000000..ffeb0a6 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/root.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil hostmaster.root-servers.nil 1 1800 900 604800 86400 +@ NS a.root-servers.nil +a.root-servers.nil A 10.53.0.1 +nsec NS a.root-servers.nil +nsec3 NS a.root-servers.nil diff --git a/bin/tests/system/wildcard/ns1/sign.sh b/bin/tests/system/wildcard/ns1/sign.sh new file mode 100755 index 0000000..d414bb1 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/sign.sh @@ -0,0 +1,95 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +SYSTESTDIR=wildcard + +dssets= + +# RFC 4592 example zone. +cp allwild.db.in allwild.db +cp example.db.in example.db + +zone=nsec +infile=nsec.db.in +zonefile=nsec.db +outfile=nsec.db.signed +dssets="$dssets dsset-${zone}." + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + +zone=private.nsec +infile=private.nsec.db.in +zonefile=private.nsec.db +outfile=private.nsec.db.signed + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + +keyfile_to_static_ds $keyname2 > private.nsec.conf + +zone=nsec3 +infile=nsec3.db.in +zonefile=nsec3.db +outfile=nsec3.db.signed +dssets="$dssets dsset-${zone}." + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + +zone=private.nsec3 +infile=private.nsec3.db.in +zonefile=private.nsec3.db +outfile=private.nsec3.db.signed + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + +keyfile_to_static_ds $keyname2 > private.nsec3.conf + +zone=. +infile=root.db.in +zonefile=root.db +outfile=root.db.signed + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key $dssets >$zonefile + +$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + +keyfile_to_static_ds $keyname2 > trusted.conf diff --git a/bin/tests/system/wildcard/ns2/named.conf.in b/bin/tests/system/wildcard/ns2/named.conf.in new file mode 100644 index 0000000..a9a2a70 --- /dev/null +++ b/bin/tests/system/wildcard/ns2/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation no; + notify yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/wildcard/ns3/named.conf.in b/bin/tests/system/wildcard/ns3/named.conf.in new file mode 100644 index 0000000..0b958fa --- /dev/null +++ b/bin/tests/system/wildcard/ns3/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +include "../ns1/trusted.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/wildcard/ns4/named.conf.in b/bin/tests/system/wildcard/ns4/named.conf.in new file mode 100644 index 0000000..b125fa7 --- /dev/null +++ b/bin/tests/system/wildcard/ns4/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; + forward only; + forwarders { 10.53.0.2; }; +}; + +include "../ns1/trusted.conf"; +include "../ns1/private.nsec.conf"; +include "../ns1/private.nsec3.conf"; diff --git a/bin/tests/system/wildcard/ns5/named.conf.in b/bin/tests/system/wildcard/ns5/named.conf.in new file mode 100644 index 0000000..1cd358d --- /dev/null +++ b/bin/tests/system/wildcard/ns5/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +include "../ns1/trusted.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/wildcard/setup.sh b/bin/tests/system/wildcard/setup.sh new file mode 100644 index 0000000..8c7adfe --- /dev/null +++ b/bin/tests/system/wildcard/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +(cd ns1 && $SHELL -e sign.sh) diff --git a/bin/tests/system/wildcard/tests.sh b/bin/tests/system/wildcard/tests.sh new file mode 100644 index 0000000..b956874 --- /dev/null +++ b/bin/tests/system/wildcard/tests.sh @@ -0,0 +1,282 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +. ../conf.sh + +status=0 +n=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" + +n=$((n + 1)) +echo_i "checking that NSEC wildcard non-existence proof is returned auth ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that NSEC wildcard non-existence proof is returned non-validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns2.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that NSEC wildcard non-existence proof is returned validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that NSEC wildcard non-existence proof is returned validating + CD ($n)" +ret=0 +$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns5.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n + 1)) + +echo_i "checking that returned NSEC wildcard non-existence proof validates ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that NSEC wildcard non-existence proof is returned private, validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that returned NSEC wildcard non-existence proof for private zone validates ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that NSEC3 wildcard non-existence proof is returned auth ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec3 +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that NSEC3 wildcard non-existence proof is returned non-validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns2.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that NSEC3 wildcard non-existence proof is returned validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns3.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that NSEC3 wildcard non-existence proof is returned validating + CD ($n)" +ret=0 +$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns5.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that returned NSEC3 wildcard non-existence proof validates ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns4.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that NSEC3 wildcard non-existence proof is returned private, validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns3.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that returned NSEC3 wildcard non-existence proof for private zone validates ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns4.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking RFC 4592 responses ..." + +n=$((n + 1)) +echo_i "checking RFC 4592: host3.example. QTYPE=MX, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 host3.example. MX IN > dig.out.ns1.test$n || ret=1 +grep '^host3.example..*IN.MX.10 host1.example.' dig.out.ns1.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking RFC 4592: host3.example. QTYPE=A, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 host3.example. A IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking RFC 4592: foo.bar.example. QTYPE=TXT, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 foo.bar.example TXT IN > dig.out.ns1.test$n || ret=1 +grep '^foo.bar.example..*IN.TXT."this is a wildcard"' dig.out.ns1.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking RFC 4592: sub.*.example. QTYPE=MX, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 "sub.*.example." MX IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking RFC 4592: _telnet._tcp.host1.example. QTYPE=SRV, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 _telnet._tcp.host1.example. SRV IN > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking RFC 4592: host.subdel.example. QTYPE=A, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 host.subdel.example A IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 +grep "subdel.example..*IN.NS.ns.example.com." dig.out.ns1.test$n > /dev/null || ret=1 +grep "subdel.example..*IN.NS.ns.example.net." dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking RFC 4592: ghost.*.example. QTYPE=MX, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 "ghost.*.example" MX IN > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking RFC 4592: _foo._udp.bar.example. QTYPE=SRV, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 "_foo._udp.bar.example" SRV IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check wild card expansions by code point ($n)" +ret=0 +i=0 +while test $i -lt 256 +do + x=$(expr 00$i : '.*\(...\)$' || true) + $DIG $DIGOPTS @10.53.0.1 "\\$x.example" TXT > dig.out.ns1.$x.test$n + if test $i -le 32 -o $i -ge 127 + then + grep '^\\'"$x"'\.example\..*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; } + # "=34 $=36 (=40 )=41 .=46 ;=59 \=92 @=64 + elif test $i -eq 34 -o $i -eq 36 -o $i -eq 40 -o $i -eq 41 -o \ + $i -eq 46 -o $i -eq 59 -o $i -eq 64 -o $i -eq 92 + then + case $i in + 34) a='"';; + 36) a='$';; + 40) a='(';; + 41) a=')';; + 46) a='\.';; + 59) a=';';; + 64) a='@';; + 92) a='\\';; + *) a=''; echo_i "code point $x failed" ; ret=1 ;; + esac + grep '^\\'"$a"'\.example.*.*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; } + else + grep '^\\' dig.out.ns1.$x.test$n && { echo_i "code point $x failed" ; ret=1; } + fi + i=$((i + 1)) +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/wildcard/tests_sh_wildcard.py b/bin/tests/system/wildcard/tests_sh_wildcard.py new file mode 100644 index 0000000..89a9fef --- /dev/null +++ b/bin/tests/system/wildcard/tests_sh_wildcard.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_wildcard(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/wildcard/tests_wildcard.py b/bin/tests/system/wildcard/tests_wildcard.py new file mode 100755 index 0000000..66166f2 --- /dev/null +++ b/bin/tests/system/wildcard/tests_wildcard.py @@ -0,0 +1,112 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +""" +Example property-based test for wildcard synthesis. +Verifies that otherwise-empty zone with single wildcard record * A 192.0.2.1 +produces synthesized answers for <random_label>.test. A, and returns NODATA for +<random_label>.test. when rdtype is not A. + +Limitations - untested properties: + - expansion works with multiple labels + - asterisk in qname does not cause expansion + - empty non-terminals prevent expansion + - or more generally any existing node prevents expansion + - DNSSEC record inclusion + - possibly others, see RFC 4592 and company + - content of authority & additional sections + - flags beyond RCODE + - special behavior of rdtypes like CNAME +""" +import pytest + +pytest.importorskip("dns") +import dns.message +import dns.name +import dns.query +import dns.rcode +import dns.rdataclass +import dns.rdatatype +import dns.rrset + +pytest.importorskip("hypothesis") +from hypothesis import given +from hypothesis.strategies import binary, integers + + +# labels of a zone with * A 192.0.2.1 wildcard +WILDCARD_ZONE = ("allwild", "test", "") +WILDCARD_RDTYPE = dns.rdatatype.A +WILDCARD_RDATA = "192.0.2.1" +IPADDR = "10.53.0.1" +TIMEOUT = 5 # seconds, just a sanity check + + +# Helpers +def is_nonexpanding_rdtype(rdtype): + """skip meta types to avoid weird rcodes caused by AXFR etc.; RFC 6895""" + return not ( + rdtype == WILDCARD_RDTYPE + or dns.rdatatype.is_metatype(rdtype) # known metatypes: OPT ... + or 128 <= rdtype <= 255 + ) # unknown meta types + + +def tcp_query(where, port, qname, qtype): + querymsg = dns.message.make_query(qname, qtype) + assert len(querymsg.question) == 1 + return querymsg, dns.query.tcp(querymsg, where, port=port, timeout=TIMEOUT) + + +def query(where, port, label, rdtype): + labels = (label,) + WILDCARD_ZONE + qname = dns.name.Name(labels) + return tcp_query(where, port, qname, rdtype) + + +# Tests +@given( + label=binary(min_size=1, max_size=63), + rdtype=integers(min_value=0, max_value=65535).filter(is_nonexpanding_rdtype), +) +def test_wildcard_rdtype_mismatch(label, rdtype, named_port): + """any label non-matching rdtype must result in to NODATA""" + check_answer_nodata(*query(IPADDR, named_port, label, rdtype)) + + +def check_answer_nodata(querymsg, answer): + assert querymsg.is_response(answer), str(answer) + assert answer.rcode() == dns.rcode.NOERROR, str(answer) + assert answer.answer == [], str(answer) + + +@given(label=binary(min_size=1, max_size=63)) +def test_wildcard_match(label, named_port): + """any label with maching rdtype must result in wildcard data in answer""" + check_answer_noerror(*query(IPADDR, named_port, label, WILDCARD_RDTYPE)) + + +def check_answer_noerror(querymsg, answer): + assert querymsg.is_response(answer), str(answer) + assert answer.rcode() == dns.rcode.NOERROR, str(answer) + assert len(querymsg.question) == 1, str(answer) + expected_answer = [ + dns.rrset.from_text( + querymsg.question[0].name, + 300, # TTL, ignored by dnspython comparison + dns.rdataclass.IN, + WILDCARD_RDTYPE, + WILDCARD_RDATA, + ) + ] + assert answer.answer == expected_answer, str(answer) |