bin/tests/system/rpz/setup.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179

#!/bin/sh

# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0.  If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.

# touch dnsrps-off to not test with DNSRPS

set -e

. ../conf.sh

QPERF=$($SHELL qperf.sh)

USAGE="$0: [-DNx]"
DEBUG=
while getopts "DNx" c; do
    case $c in
	x) set -x; DEBUG=-x ;;
        D) TEST_DNSRPS="-D" ;;
	N) PARTIAL=-P ;;
	*) echo "$USAGE" 1>&2; exit 1 ;;
    esac
done
shift $((OPTIND - 1))
if test "$#" -ne 0; then
    echo "$USAGE" 1>&2
    exit 1
fi

if [ ${NOCLEAN:-unset} = unset ]; then
    $SHELL clean.sh $PARTIAL $DEBUG
fi

for dir in ns*; do
    touch $dir/named.run
    nextpart $dir/named.run > /dev/null
done

copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
copy_setports ns10/named.conf.in ns10/named.conf

copy_setports dnsrpzd.conf.in dnsrpzd.conf

# decide whether to test DNSRPS
# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf
# and differ from dnsrpz.conf which is used by dnsrpzd.
$SHELL ../ckdnsrps.sh -A $TEST_DNSRPS $DEBUG
test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS=

# set up test policy zones.
#   bl is the main test zone
#   bl-2 is used to check competing zones.
#   bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden,
#	    drop,tcp-only} are used to check policy overrides in named.conf.
#   NO-OP is an obsolete synonym for PASSHTRU
for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do
    sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db
done
#  bl zones are dynamically updated.  Add one zone that is updated manually.
cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db

cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db

# a zone that expires quickly and then can't be refreshed
cp ns5/fast-expire.db.in ns5/fast-expire.db
cp ns5/expire.conf.in ns5/expire.conf

# $1=directory
# $2=domain name
# $3=input zone file
# $4=output file
signzone () {
    KEYNAME=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -K $1 $2)
    cat $1/$3 $1/$KEYNAME.key > $1/tmp
    $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
    sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
    DSFILENAME=dsset-${2}.
    rm $DSFILENAME $1/tmp
}
signzone ns2 tld2s base-tld2s.db tld2s.db

# Performance and a few other checks.
cat <<EOF >ns5/rpz-switch
response-policy {
	zone "bl0"; zone "bl1"; zone "bl2"; zone "bl3"; zone "bl4";
	zone "bl5"; zone "bl6"; zone "bl7"; zone "bl8"; zone "bl9";
	zone "bl10"; zone "bl11"; zone "bl12"; zone "bl13"; zone "bl14";
	zone "bl15"; zone "bl16"; zone "bl17"; zone "bl18"; zone "bl19";
    } recursive-only no
    qname-wait-recurse no
    nsip-enable yes
    nsdname-enable yes
    max-policy-ttl 90
    break-dnssec yes
    ;
EOF

cat <<EOF >ns5/example.db
\$TTL	300
@	SOA	.  hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
	NS	ns
	NS	ns1
ns	A	10.53.0.5
ns1	A	10.53.0.5
EOF

cat <<EOF >ns5/bl.db
\$TTL	300
@		SOA	.  hostmaster.ns.blperf. ( 1 3600 1200 604800 60 )
		NS	ns.tld5.

; for "qname-wait-recurse no" in #35 test1
x.servfail	A	35.35.35.35
; for "recursive-only no" in #8 test5
a3-5.tld2	CNAME	.
; for "break-dnssec" in #9 & #10 test5
a3-5.tld2s	CNAME	.
; for "max-policy-ttl 90" in #17 test5
a3-17.tld2	500 A	17.17.17.17

; dummy NSDNAME policy to trigger lookups
ns1.x.rpz-nsdname	CNAME	.
EOF

if test -n "$QPERF"; then
    # Do not build the full zones if we will not use them.
    $PERL -e 'for ($val = 1; $val <= 65535; ++$val) {
	printf("host-%05d\tA    192.168.%d.%d\n", $val, $val/256, $val%256);
	}' >>ns5/example.db

    echo >>ns5/bl.db
    echo "; rewrite some names" >>ns5/bl.db
    $PERL -e 'for ($val = 2; $val <= 65535; $val += 69) {
	printf("host-%05d.example.tld5\tCNAME\t.\n", $val);
	}' >>ns5/bl.db

    echo >>ns5/bl.db
    echo "; rewrite with some not entirely trivial patricia trees" >>ns5/bl.db
    $PERL -e 'for ($val = 3; $val <= 65535; $val += 69) {
	printf("32.%d.%d.168.192.rpz-ip  \tCNAME\t.\n",
		$val%256, $val/256);
	}' >>ns5/bl.db
fi

# some psuedo-random queryperf requests
$PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {
	printf("host-%05d.example.tld5 A\n", $val);
	$val = ($val * 9 + 32771) % 65536;
	}' >ns5/requests

cp ns2/bl.tld2.db.in ns2/bl.tld2.db
cp ns5/empty.db.in ns5/empty.db
cp ns5/empty.db.in ns5/policy2.db
cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db

# Run dnsrpzd to get the license and prime the static policy zones
if test -n "$TEST_DNSRPS"; then
   DNSRPZD="$(../rpz/dnsrps -p)"
   cd ns3
   "$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \
             -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1
fi