From 3b9b6d0b8e7f798023c9d109c490449d528fde80 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 17:59:48 +0200 Subject: Adding upstream version 1:9.18.19. Signed-off-by: Daniel Baumann --- bin/tests/system/upforwd/ans4/ans.pl | 363 ++++++++++++++++++++++++++ bin/tests/system/upforwd/clean.sh | 35 +++ bin/tests/system/upforwd/knowngood.after1 | 10 + bin/tests/system/upforwd/knowngood.after2 | 11 + bin/tests/system/upforwd/knowngood.before | 8 + bin/tests/system/upforwd/knowngood.ns2.before | 6 + bin/tests/system/upforwd/ns1/example1.db | 18 ++ bin/tests/system/upforwd/ns1/named.conf.in | 42 +++ bin/tests/system/upforwd/ns2/named.conf.in | 37 +++ bin/tests/system/upforwd/ns3/named1.conf.in | 64 +++++ bin/tests/system/upforwd/ns3/named2.conf.in | 44 ++++ bin/tests/system/upforwd/ns3/noprimary.db | 14 + bin/tests/system/upforwd/setup.sh | 47 ++++ bin/tests/system/upforwd/tests.sh | 295 +++++++++++++++++++++ bin/tests/system/upforwd/tests_sh_upforwd.py | 14 + 15 files changed, 1008 insertions(+) create mode 100644 bin/tests/system/upforwd/ans4/ans.pl create mode 100644 bin/tests/system/upforwd/clean.sh create mode 100644 bin/tests/system/upforwd/knowngood.after1 create mode 100644 bin/tests/system/upforwd/knowngood.after2 create mode 100644 bin/tests/system/upforwd/knowngood.before create mode 100644 bin/tests/system/upforwd/knowngood.ns2.before create mode 100644 bin/tests/system/upforwd/ns1/example1.db create mode 100644 bin/tests/system/upforwd/ns1/named.conf.in create mode 100644 bin/tests/system/upforwd/ns2/named.conf.in create mode 100644 bin/tests/system/upforwd/ns3/named1.conf.in create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in create mode 100644 bin/tests/system/upforwd/ns3/noprimary.db create mode 100644 bin/tests/system/upforwd/setup.sh create mode 100644 bin/tests/system/upforwd/tests.sh create mode 100644 bin/tests/system/upforwd/tests_sh_upforwd.py (limited to 'bin/tests/system/upforwd') diff --git a/bin/tests/system/upforwd/ans4/ans.pl b/bin/tests/system/upforwd/ans4/ans.pl new file mode 100644 index 0000000..000be56 --- /dev/null +++ b/bin/tests/system/upforwd/ans4/ans.pl @@ -0,0 +1,363 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# This is the name server from hell. It provides canned +# responses based on pattern matching the queries, and +# can be reprogrammed on-the-fly over a TCP connection. +# +# The server listens for control connections on port 5301. +# A control connection is a TCP stream of lines like +# +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# +# There can be any number of patterns, each associated +# with any number of response RRs. Each pattern is a +# Perl regular expression. +# +# Each incoming query is converted into a string of the form +# "qname qtype" (the printable query domain name, space, +# printable query type) and matched against each pattern. +# +# The first pattern matching the query is selected, and +# the RR following the pattern line are sent in the +# answer section of the response. +# +# Each new control connection causes the current set of +# patterns and responses to be cleared before adding new +# ones. +# +# The server handles UDP and TCP queries. Zone transfer +# responses work, but must fit in a single 64 k message. +# +# Now you can add TSIG, just specify key/key data with: +# +# /pattern / +# name ttl type rdata +# name ttl type rdata +# +# Note that this data will still be sent with any request for +# pattern, only this data will be signed. Currently, this is only +# done for TCP. + + +use IO::File; +use IO::Socket; +use Data::Dumper; +use Net::DNS; +use Net::DNS::Packet; +use strict; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +my $server_addr = "10.53.0.4"; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; + +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +print "listening on $server_addr:$localport.\n"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!";; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +#my @answers = (); +my @rules; +sub handleUDP { + my ($buf) = @_; + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + $packet->header->qr(1); + $packet->header->aa(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + while (my $rr = $packet->pop("additional")) { + if ($rr->type eq "TSIG") { + $prev_tsig = $rr; + } + } + + my $r; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($dbtype, $key_name, $key_data) = split(/ /,$pattern); + print "[handleUDP] $dbtype, $key_name, $key_data \n"; + if ("$qname $qtype" =~ /$dbtype/) { + my $a; + foreach $a (@{$r->{answer}}) { + $packet->push("answer", $a); + } + if(defined($key_name) && defined($key_data)) { + # Sign the packet + print " Signing the response with " . + "$key_name/$key_data\n"; + my $tsig = Net::DNS::RR-> + new("$key_name TSIG $key_data"); + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {}; + $packet->{"header"}{"arcount"} += 1; + if (defined($prev_tsig)) { + my $rmac = pack('n H*', + $prev_tsig->mac_size, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } + + $packet->sign_tsig($tsig); + } + last; + } + } + #$packet->print; + + return $packet->data; +} + +# namelen: +# given a stream of data, reads a DNS-formatted name and returns its +# total length, thus making it possible to skip past it. +sub namelen { + my ($data) = @_; + my $len = 0; + my $label_len = 0; + do { + $label_len = unpack("c", $data); + $data = substr($data, $label_len + 1); + $len += $label_len + 1; + } while ($label_len != 0); + return ($len); +} + +# packetlen: +# given a stream of data, reads a DNS wire-format packet and returns +# its total length, making it possible to skip past it. +sub packetlen { + my ($data) = @_; + my $q; + my $rr; + + my ($header, $offset) = Net::DNS::Header->parse(\$data); + for (1 .. $header->qdcount) { + ($q, $offset) = Net::DNS::Question->parse(\$data, $offset); + } + for (1 .. $header->ancount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + for (1 .. $header->nscount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + for (1 .. $header->arcount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + return $offset; +} + +# sign_tcp_continuation: +# This is a hack to correct the problem that Net::DNS has no idea how +# to sign multiple-message TCP responses. Several data that are included +# in the digest when signing a query or the first message of a response are +# omitted when signing subsequent messages in a TCP stream. +# +# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing +# function (specified by calling Packet->sign_func()). We use this +# function as the signing function for TCP continuations, and it removes +# the unwanted data from the digest before calling the default sign_hmac +# function. +sub sign_tcp_continuation { + my ($key, $data) = @_; + + # copy out first two bytes: size of the previous MAC + my $rmacsize = unpack("n", $data); + $data = substr($data, 2); + + # copy out previous MAC + my $rmac = substr($data, 0, $rmacsize); + $data = substr($data, $rmacsize); + + # try parsing out the packet information + my $plen = packetlen($data); + my $pdata = substr($data, 0, $plen); + $data = substr($data, $plen); + + # remove the keyname, ttl, class, and algorithm name + $data = substr($data, namelen($data)); + $data = substr($data, 6); + $data = substr($data, namelen($data)); + + # preserve the TSIG data + my $tdata = substr($data, 0, 8); + + # prepare a new digest and sign with it + $data = pack("n", $rmacsize) . $rmac . $pdata . $tdata; + return Net::DNS::RR::TSIG::sign_hmac($key, $data); +} + +sub handleTCP { + my ($buf) = @_; + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + $packet->header->qr(1); + $packet->header->aa(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + my $signer; + while (my $rr = $packet->pop("additional")) { + if ($rr->type eq "TSIG") { + $prev_tsig = $rr; + } + } + + my @results = (); + my $count_these = 0; + + my $r; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($dbtype, $key_name, $key_data) = split(/ /,$pattern); + print "[handleTCP] $dbtype, $key_name, $key_data \n"; + if ("$qname $qtype" =~ /$dbtype/) { + $count_these++; + my $a; + foreach $a (@{$r->{answer}}) { + $packet->push("answer", $a); + } + if(defined($key_name) && defined($key_data)) { + # sign the packet + print " Signing the data with " . + "$key_name/$key_data\n"; + + my $tsig = Net::DNS::RR-> + new("$key_name TSIG $key_data"); + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {}; + $packet->{"header"}{"arcount"} += 1; + if (defined($prev_tsig)) { + my $rmac = pack('n H*', + $prev_tsig->mac_size, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } + + $tsig->sign_func($signer) if defined($signer); + $packet->sign_tsig($tsig); + $signer = \&sign_tcp_continuation; + + my $copy = + Net::DNS::Packet->new(\($packet->data)); + $prev_tsig = $copy->pop("additional"); + } + #$packet->print; + push(@results,$packet->data); + $packet = new Net::DNS::Packet(\$buf, 0); + $packet->header->qr(1); + $packet->header->aa(1); + } + } + print " A total of $count_these patterns matched\n"; + return \@results; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($tcpsock), 1) = 1; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $conn = $tcpsock->accept; + my $buf; + for (;;) { + my $lenbuf; + my $n = $conn->sysread($lenbuf, 2); + last unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + } + sleep(1); + } +} diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh new file mode 100644 index 0000000..2641c43 --- /dev/null +++ b/bin/tests/system/upforwd/clean.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after zone transfer tests. +# + +rm -f dig.out.ns1* dig.out.ns2 dig.out.ns1 dig.out.ns3 dig.out.ns1.after +rm -f ns1/*.jnl ns2/*.jnl ns3/*.jnl ns1/example.db ns2/*.bk ns3/*.bk +rm -f ns3/noprimary1.db +rm -f ns3/dnstap.out* +rm -f ns3/dnstap.conf +rm -f dnstap.out* +rm -f dnstapread.out* +rm -f */named.memstats +rm -f */named.run +rm -f */named.conf +rm -f */ans.run +rm -f Ksig0.example2.* +rm -f keyname keyname.err +rm -f ns*/named.lock +rm -f ns1/example2.db +rm -f ns*/managed-keys.bind* +rm -f nsupdate.out.* +rm -f ns*/named.run.prev diff --git a/bin/tests/system/upforwd/knowngood.after1 b/bin/tests/system/upforwd/knowngood.after1 new file mode 100644 index 0000000..7fc424c --- /dev/null +++ b/bin/tests/system/upforwd/knowngood.after1 @@ -0,0 +1,10 @@ +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 2 3600 1200 604800 7200 +example. 3600 IN NS ns2.example. +example. 3600 IN NS ns3.example. +ns1.example. 3600 IN A 10.53.0.1 +ns2.example. 3600 IN A 10.53.0.2 +ns3.example. 3600 IN A 10.53.0.3 +updated.example. 600 IN TXT "Foo" +updated.example. 600 IN A 10.10.10.1 +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 2 3600 1200 604800 7200 + diff --git a/bin/tests/system/upforwd/knowngood.after2 b/bin/tests/system/upforwd/knowngood.after2 new file mode 100644 index 0000000..eab7a2c --- /dev/null +++ b/bin/tests/system/upforwd/knowngood.after2 @@ -0,0 +1,11 @@ +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 3 3600 1200 604800 7200 +example. 3600 IN NS ns2.example. +example. 3600 IN NS ns3.example. +ns1.example. 3600 IN A 10.53.0.1 +ns2.example. 3600 IN A 10.53.0.2 +ns3.example. 3600 IN A 10.53.0.3 +unsigned.example. 600 IN TXT "Foo" +unsigned.example. 600 IN A 10.10.10.1 +updated.example. 600 IN TXT "Foo" +updated.example. 600 IN A 10.10.10.1 +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 3 3600 1200 604800 7200 diff --git a/bin/tests/system/upforwd/knowngood.before b/bin/tests/system/upforwd/knowngood.before new file mode 100644 index 0000000..4bde819 --- /dev/null +++ b/bin/tests/system/upforwd/knowngood.before @@ -0,0 +1,8 @@ +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200 +example. 3600 IN NS ns2.example. +example. 3600 IN NS ns3.example. +ns1.example. 3600 IN A 10.53.0.1 +ns2.example. 3600 IN A 10.53.0.2 +ns3.example. 3600 IN A 10.53.0.3 +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200 + diff --git a/bin/tests/system/upforwd/knowngood.ns2.before b/bin/tests/system/upforwd/knowngood.ns2.before new file mode 100644 index 0000000..bb3c355 --- /dev/null +++ b/bin/tests/system/upforwd/knowngood.ns2.before @@ -0,0 +1,6 @@ +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200 +example. 3600 IN NS ns2.example. +ns1.example. 3600 IN A 10.53.0.1 +ns2.example. 3600 IN A 10.53.0.2 +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200 + diff --git a/bin/tests/system/upforwd/ns1/example1.db b/bin/tests/system/upforwd/ns1/example1.db new file mode 100644 index 0000000..04c47f2 --- /dev/null +++ b/bin/tests/system/upforwd/ns1/example1.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA n1.example. hostmaster.ns1.example. ( + 1 3600 1200 604800 7200 ) + NS ns2.example. + NS ns3.example. +ns1 A 10.53.0.1 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in new file mode 100644 index 0000000..822621e --- /dev/null +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key "update.example." { + algorithm "hmac-md5"; + secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation no; + notify yes; +}; + +zone "example" { + type primary; + file "example.db"; + allow-update { key update.example.; 10.53.0.3; }; +}; + +zone "example2" { + type primary; + file "example2.db"; + allow-update { key sig0.example2.; }; +}; diff --git a/bin/tests/system/upforwd/ns2/named.conf.in b/bin/tests/system/upforwd/ns2/named.conf.in new file mode 100644 index 0000000..df4121b --- /dev/null +++ b/bin/tests/system/upforwd/ns2/named.conf.in @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation no; + notify yes; +}; + +zone "example" { + type secondary; + file "example.bk"; + primaries { 10.53.0.1; }; +}; + +zone "example2" { + type secondary; + file "example2.bk"; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/upforwd/ns3/named1.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in new file mode 100644 index 0000000..b142537 --- /dev/null +++ b/bin/tests/system/upforwd/ns3/named1.conf.in @@ -0,0 +1,64 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; + include "dnstap.conf"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type secondary; + file "example.bk"; + allow-update-forwarding { 10.53.0.1; }; + primaries { 10.53.0.1; }; +}; + +zone "example2" { + type secondary; + file "example2.bk"; + allow-update-forwarding { 10.53.0.1; }; + primaries { 10.53.0.1; }; +}; + +zone "example3" { + type secondary; + file "example3.bk"; + allow-update-forwarding { 10.53.0.1; }; + primaries { 10.53.0.1; }; +}; + +zone "noprimary" { + type secondary; + file "noprimary1.db"; + allow-update-forwarding { any; }; + masterfile-format text; + primaries { 10.53.0.4; }; +}; diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in new file mode 100644 index 0000000..1fe3e04 --- /dev/null +++ b/bin/tests/system/upforwd/ns3/named2.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + tls-port @TLSPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on tls ephemeral { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; + update-quota 1; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type secondary; + file "example.bk"; + allow-update-forwarding { any; }; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/upforwd/ns3/noprimary.db b/bin/tests/system/upforwd/ns3/noprimary.db new file mode 100644 index 0000000..c27e154 --- /dev/null +++ b/bin/tests/system/upforwd/ns3/noprimary.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 141235 3600 1200 86400 1200 +@ 0 NS ns4 +ns4 0 A 10.53.0.4 diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh new file mode 100644 index 0000000..f2719ba --- /dev/null +++ b/bin/tests/system/upforwd/setup.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +cp -f ns1/example1.db ns1/example.db +cp -f ns3/noprimary.db ns3/noprimary1.db + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf + +if $FEATURETEST --enable-dnstap +then + cat <<'EOF' > ns3/dnstap.conf + dnstap-identity "ns3"; + dnstap-version "xxx"; + dnstap-output file "dnstap.out"; + dnstap { all; }; +EOF +else + echo "/* DNSTAP NOT ENABLED */" >ns3/dnstap.conf +fi + + +# +# SIG(0) required cryptographic support which may not be configured. +# +keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -b 1024 -T KEY sig0.example2 2>keyname.err) +if test -n "$keyname" +then + cat ns1/example1.db $keyname.key > ns1/example2.db + echo $keyname > keyname +else + cat ns1/example1.db > ns1/example2.db +fi +cat_i < keyname.err diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh new file mode 100644 index 0000000..9b49fbd --- /dev/null +++ b/bin/tests/system/upforwd/tests.sh @@ -0,0 +1,295 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# ns1 = stealth primary +# ns2 = secondary with update forwarding disabled; not currently used +# ns3 = secondary with update forwarding enabled + +set -e + +. ../conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" + +status=0 +n=1 +capture_dnstap() { + retry_quiet 20 test -f ns3/dnstap.out && mv ns3/dnstap.out dnstap.out.$n + $RNDCCMD -s 10.53.0.3 dnstap -reopen +} + +uq_equals_ur() { + "$DNSTAPREAD" dnstap.out.$n | + awk '$3 == "UQ" { UQ+=1 } $3 == "UR" { UR += 1 } END { print UQ+0, UR+0 }' > dnstapread.out$n + read UQ UR < dnstapread.out$n + echo_i "UQ=$UQ UR=$UR" + test $UQ -eq $UR || return 1 +} + +echo_i "waiting for servers to be ready for testing ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG +tcp -p ${PORT} example. @10.53.0.1 soa > dig.out.ns1 || ret=1 + grep "status: NOERROR" dig.out.ns1 > /dev/null || ret=1 + $DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2 || ret=1 + grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 + $DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 + test $ret = 0 && break + sleep 1 +done +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +n=$((n + 1)) + +echo_i "fetching primary copy of zone before update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.1 axfr > dig.out.ns1 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +n=$((n + 1)) + +echo_i "fetching secondary 1 copy of zone before update ($n)" +$DIG $DIGOPTS example.\ + @10.53.0.2 axfr > dig.out.ns2 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +n=$((n + 1)) + +echo_i "fetching secondary 2 copy of zone before update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.3 axfr > dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +n=$((n + 1)) + +echo_i "comparing pre-update copies to known good data ($n)" +ret=0 +digcomp knowngood.before dig.out.ns1 || ret=1 +digcomp knowngood.before dig.out.ns2 || ret=1 +digcomp knowngood.before dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi + +echo_i "updating zone (signed) ($n)" +ret=0 +$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < dig.out.ns1 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +n=$((n + 1)) + +echo_i "fetching secondary 1 copy of zone after update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.2 axfr > dig.out.ns2 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi + +echo_i "fetching secondary 2 copy of zone after update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.3 axfr > dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +n=$((n + 1)) + +echo_i "comparing post-update copies to known good data ($n)" +ret=0 +digcomp knowngood.after1 dig.out.ns1 || ret=1 +digcomp knowngood.after1 dig.out.ns2 || ret=1 +digcomp knowngood.after1 dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi + +echo_i "checking 'forwarding update for zone' is logged ($n)" +ret=0 +grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +n=$((n + 1)) + +if $FEATURETEST --enable-dnstap +then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) +fi + +echo_i "updating zone (unsigned) ($n)" +ret=0 +$NSUPDATE -- - < dig.out.ns1 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi + +echo_i "fetching secondary 1 copy of zone after update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.2 axfr > dig.out.ns2 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +n=$((n + 1)) + +echo_i "fetching secondary 2 copy of zone after update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.3 axfr > dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi + +echo_i "comparing post-update copies to known good data ($n)" +ret=0 +digcomp knowngood.after2 dig.out.ns1 || ret=1 +digcomp knowngood.after2 dig.out.ns2 || ret=1 +digcomp knowngood.after2 dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi + +if $FEATURETEST --enable-dnstap +then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) +fi +n=$((n + 1)) + +if test -f keyname +then + echo_i "checking update forwarding to with sig0 ($n)" + ret=0 + keyname=$(cat keyname) + $NSUPDATE -k $keyname.private -- - < dig.out.ns1.test$n + grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) + + if $FEATURETEST --enable-dnstap + then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) + fi +fi + +echo_i "attempting an update that should be rejected by ACL ($n)" +ret=0 +{ + $NSUPDATE -- - << EOF + local 10.53.0.2 + server 10.53.0.3 ${PORT} + update add another.unsigned.example. 600 A 10.10.10.2 + update add another.unsigned.example. 600 TXT Bar + send +EOF +} > nsupdate.out.$n 2>&1 && ret=1 +grep REFUSED nsupdate.out.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +n=$((n + 1)) + +echo_i "checking update forwarding to dead primary ($n)" +count=0 +ret=0 +while [ $count -lt 5 -a $ret -eq 0 ] +do +( +$NSUPDATE -- - < /dev/null 2>&1 & + $DIG -p ${PORT} +noadd +notcp +noauth noprimary. @10.53.0.3 soa > dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 + count=$((count + 1)) +done +if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +n=$((n + 1)) + +if $FEATURETEST --enable-dnstap +then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur && ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) +fi + +n=$((n + 1)) +ret=0 +echo_i "attempting updates that should exceed quota ($n)" +# lower the update quota to 1. +copy_setports ns3/named2.conf.in ns3/named.conf +rndc_reconfig ns3 10.53.0.3 +nextpart ns3/named.run > /dev/null +for loop in 1 2 3 4 5 6 7 8 9 10; do +{ + $NSUPDATE -- - > /dev/null 2>&1 <