diff options
Diffstat (limited to 'modules/view/tsig.test.integr')
| -rw-r--r-- | modules/view/tsig.test.integr/deckard.yaml | 12 | ||||
| -rw-r--r-- | modules/view/tsig.test.integr/kresd_config.j2 | 64 | ||||
| -rw-r--r-- | modules/view/tsig.test.integr/module_view_tsig.rpl | 114 |
3 files changed, 190 insertions, 0 deletions
diff --git a/modules/view/tsig.test.integr/deckard.yaml b/modules/view/tsig.test.integr/deckard.yaml new file mode 100644 index 0000000..06792be --- /dev/null +++ b/modules/view/tsig.test.integr/deckard.yaml @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: GPL-3.0-or-later +programs: +- name: kresd + binary: kresd + additional: + - --noninteractive + templates: + - modules/view/tsig.test.integr/kresd_config.j2 + - tests/integration/hints_zone.j2 + configs: + - config + - hints diff --git a/modules/view/tsig.test.integr/kresd_config.j2 b/modules/view/tsig.test.integr/kresd_config.j2 new file mode 100644 index 0000000..f04dce2 --- /dev/null +++ b/modules/view/tsig.test.integr/kresd_config.j2 @@ -0,0 +1,64 @@ +-- SPDX-License-Identifier: GPL-3.0-or-later +{% raw %} +modules.load('view') +print(table_print(modules.list())) + +view:tsig('\8testkey1\0', policy.suffix(policy.DENY_MSG("TSIG key testkey1 matched com"),{"\3com\0"})) +view:tsig('\8testkey1\0', policy.suffix(policy.DENY_MSG("TSIG key testkey1 matched net"),{"\3net\0"})) +view:tsig('\7testkey\0', policy.suffix(policy.DENY_MSG("TSIG key testkey matched example"),{"\7example\0"})) +policy.add(policy.all(policy.FORWARD('1.2.3.4'))) + +-- Disable RFC5011 TA update +if ta_update then + modules.unload('ta_update') +end + +-- Disable RFC8145 signaling, scenario doesn't provide expected answers +if ta_signal_query then + modules.unload('ta_signal_query') +end + +-- Disable RFC8109 priming, scenario doesn't provide expected answers +if priming then + modules.unload('priming') +end + +-- Disable this module because it make one priming query +if detect_time_skew then + modules.unload('detect_time_skew') +end + +-- make sure DNSSEC is turned off for tests +trust_anchors.remove('.') + +_hint_root_file('hints') +cache.size = 2*MB +log_level('debug') +{% endraw %} + +net = { '{{SELF_ADDR}}' } + + +{% if QMIN == "false" %} +option('NO_MINIMIZE', true) +{% else %} +option('NO_MINIMIZE', false) +{% endif %} + + +-- Self-checks on globals +assert(help() ~= nil) +assert(worker.id ~= nil) +-- Self-checks on facilities +assert(cache.count() == 0) +assert(cache.stats() ~= nil) +assert(cache.backends() ~= nil) +assert(worker.stats() ~= nil) +assert(net.interfaces() ~= nil) +-- Self-checks on loaded stuff +assert(net.list()[1].transport.ip == '{{SELF_ADDR}}') +assert(#modules.list() > 0) +-- Self-check timers +ev = event.recurrent(1 * sec, function (ev) return 1 end) +event.cancel(ev) +ev = event.after(0, function (ev) return 1 end) diff --git a/modules/view/tsig.test.integr/module_view_tsig.rpl b/modules/view/tsig.test.integr/module_view_tsig.rpl new file mode 100644 index 0000000..fd6d291 --- /dev/null +++ b/modules/view/tsig.test.integr/module_view_tsig.rpl @@ -0,0 +1,114 @@ +; SPDX-License-Identifier: GPL-3.0-or-later +; config options + stub-addr: 1.2.3.4 +CONFIG_END + +SCENARIO_BEGIN view:tsig test + +RANGE_BEGIN 0 110 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR RD RA NOERROR +SECTION QUESTION +example.cz. IN A +SECTION ANSWER +example.cz. IN A 5.6.7.8 +ENTRY_END + +RANGE_END + +RANGE_BEGIN 0 110 + ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR RD RA NOERROR +SECTION QUESTION +example.net. IN A +SECTION ANSWER +example.net. IN A 6.6.6.6 +ENTRY_END +RANGE_END + +; policy fallback (no view matched, policy is behind view module) +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +TSIG testkey +Cdjlkef9ZTSeixERZ433Q== +SECTION QUESTION +example.cz. IN A +ENTRY_END + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH flags rcode question answer +REPLY QR RD RA NOERROR +SECTION QUESTION +example.cz. IN A +SECTION ANSWER +example.cz. IN A 5.6.7.8 +ENTRY_END + +; blocked by view:tsig testkey1 + inner policy.suffix com +; NXDOMAIN expected +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +TSIG testkey1 +Cdjlkef9ZTSeixERZ433Q== +SECTION QUESTION +example.com. IN A +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH opcode question rcode additional +REPLY QR RD RA AA NXDOMAIN +SECTION QUESTION +example.com. IN A +SECTION ADDITIONAL +explanation.invalid. 10800 IN TXT "TSIG key testkey1 matched com" +ENTRY_END + +; blocked by view:tsig testkey1 + inner policy.suffix net +; second view rule gets executed if policy in preceding view rule did not match +STEP 32 QUERY +ENTRY_BEGIN +REPLY RD +TSIG testkey1 +Cdjlkef9ZTSeixERZ433Q== +SECTION QUESTION +example.net. IN A +ENTRY_END + +STEP 33 CHECK_ANSWER +ENTRY_BEGIN +MATCH opcode question rcode additional +REPLY QR RD RA AA NXDOMAIN +SECTION QUESTION +example.net. IN A +SECTION ADDITIONAL +explanation.invalid. 10800 IN TXT "TSIG key testkey1 matched net" +ENTRY_END + +; blocked by view:tsig testkey + inner policy.suffix example (different key) +; third view rule gets executed if policy in preceding view rule did not match +STEP 34 QUERY +ENTRY_BEGIN +REPLY RD +TSIG testkey +Cdjlkef9ZTSeixERZ433Q== +SECTION QUESTION +example. IN A +ENTRY_END + +STEP 35 CHECK_ANSWER +ENTRY_BEGIN +MATCH opcode question rcode additional +REPLY QR RD RA AA NXDOMAIN +SECTION QUESTION +example. IN A +SECTION ADDITIONAL +explanation.invalid. 10800 IN TXT "TSIG key testkey matched example" +ENTRY_END + +SCENARIO_END |