Commit a111c8d7 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Merge branch '813-matthijs-failure-loading-rpz' into 'master'

Resolve "Problems after failure of loading rpz [ISC-support #14002]"

Closes #813

See merge request !1507
parents f9b50a40 e5565808
Pipeline #10529 passed with stages
in 13 minutes and 9 seconds
5168. [bug] Do not crash on shutdown when RPZ fails to load. Also,
keep previous version of the database if RPZ fails to
load. [GL #813]
5167. [bug] nxdomain-redirect could sometimes lookup the wrong 5167. [bug] nxdomain-redirect could sometimes lookup the wrong
redirect name. [GL #892] redirect name. [GL #892]
   
......
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
The test setup for the RPZ tests prepares a query perf tool and sets up
policy zones.
Name servers
------------
ns1 is the root server.
ns2 and ns4 are authoritative servers for the various test domains.
ns3 is the main rewriting resolver.
ns5 and ns7 are additional rewriting resolvers.
ns6 is a forwarding server.
Updating the response policy zones
----------------------------------
test1, test2, test3, test4, test5, and test6 are dynamic update files. These
updates are made against ns3. The script function "start_group" is called to
start an new batch of tests that may depend on certain server updates. The
function takes an optional file name and if provided the server updates are
performed before executing the test batch.
...@@ -30,6 +30,7 @@ fi ...@@ -30,6 +30,7 @@ fi
rm -f ns*/*.key ns*/*.private rm -f ns*/*.key ns*/*.private
rm -f ns2/tld2s.db ns2/bl.tld2.db rm -f ns2/tld2s.db ns2/bl.tld2.db
rm -f ns3/bl*.db ns*/empty.db rm -f ns3/bl*.db ns*/empty.db
rm -f ns3/manual-update-rpz.db
rm -f ns5/example.db ns5/bl.db rm -f ns5/example.db ns5/bl.db
rm -f */policy2.db rm -f */policy2.db
rm -f */*.jnl rm -f */*.jnl
......
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
; RPZ test
; This basic file is copied to several zone files before being used.
; Its contents are also changed with nsupdate
; broken zone
foobar
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
; RPZ test
; This basic file is copied to several zone files before being used.
; Its contents are also changed with nsupdate
$TTL 300
@ SOA bl-reload. hostmaster.ns.bl-reload. ( 2 3600 1200 604800 60 )
NS ns.tld3.
walled.tld2.bl-reload. 300 A 10.0.0.2
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
; RPZ test
; This basic file is copied to several zone files before being used.
; Its contents are also changed with nsupdate
$TTL 300
@ SOA manual-update-rpz. hostmaster.ns.manual-rpz-update. ( 1 3600 1200 604800 60 )
NS ns.tld3.
walled.tld2.manual-update-rpz. 300 A 10.0.0.1
...@@ -44,6 +44,7 @@ options { ...@@ -44,6 +44,7 @@ options {
zone "bl-drop" policy drop; zone "bl-drop" policy drop;
zone "bl-tcp-only" policy tcp-only; zone "bl-tcp-only" policy tcp-only;
zone "bl.tld2"; zone "bl.tld2";
zone "manual-update-rpz";
} }
min-ns-dots 0 min-ns-dots 0
qname-wait-recurse yes qname-wait-recurse yes
...@@ -102,3 +103,9 @@ zone "bl.tld2." {type slave; file "bl.tld2.db"; masters {10.53.0.2;}; ...@@ -102,3 +103,9 @@ zone "bl.tld2." {type slave; file "bl.tld2.db"; masters {10.53.0.2;};
zone "crash1.tld2" {type master; file "crash1"; notify no;}; zone "crash1.tld2" {type master; file "crash1"; notify no;};
zone "crash2.tld3." {type master; file "crash2"; notify no;}; zone "crash2.tld3." {type master; file "crash2"; notify no;};
zone "manual-update-rpz." {
type master;
file "manual-update-rpz.db";
notify no;
};
...@@ -68,8 +68,13 @@ test -z "`grep 'dnsrps-enable yes' dnsrps.conf`" && TEST_DNSRPS= ...@@ -68,8 +68,13 @@ test -z "`grep 'dnsrps-enable yes' dnsrps.conf`" && TEST_DNSRPS=
for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do
sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db
done done
# bl zones are dynamically updated. Add one zone that is updated manually.
cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
# $1=directory, $2=domain name, $3=input zone file, $4=output file # $1=directory
# $2=domain name
# $3=input zone file
# $4=output file
signzone () { signzone () {
KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2` KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
cat $1/$3 $1/$KEYNAME.key > $1/tmp cat $1/$3 $1/$KEYNAME.key > $1/tmp
...@@ -80,7 +85,6 @@ signzone () { ...@@ -80,7 +85,6 @@ signzone () {
} }
signzone ns2 tld2s. base-tld2s.db tld2s.db signzone ns2 tld2s. base-tld2s.db tld2s.db
# Performance and a few other checks. # Performance and a few other checks.
cat <<EOF >ns5/rpz-switch cat <<EOF >ns5/rpz-switch
response-policy { response-policy {
......
...@@ -106,7 +106,8 @@ setret () { ...@@ -106,7 +106,8 @@ setret () {
} }
# set $SN to the SOA serial number of a zone # set $SN to the SOA serial number of a zone
# $1=domain $2=DNS server and client IP address # $1=domain
# $2=DNS server and client IP address
get_sn() { get_sn() {
SOA=`$DIG -p ${PORT} +short +norecurse soa "$1" "@$2" "-b$2"` SOA=`$DIG -p ${PORT} +short +norecurse soa "$1" "@$2" "-b$2"`
SN=`expr "$SOA" : '[^ ]* [^ ]* \([^ ]*\) .*'` SN=`expr "$SOA" : '[^ ]* [^ ]* \([^ ]*\) .*'`
...@@ -125,7 +126,8 @@ get_sn_fast () { ...@@ -125,7 +126,8 @@ get_sn_fast () {
} }
# check that dnsrpzd has loaded its zones # check that dnsrpzd has loaded its zones
# $1=domain $2=DNS server IP address # $1=domain
# $2=DNS server IP address
FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf` FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf`
dnsrps_loaded() { dnsrps_loaded() {
test "$mode" = dnsrps || return test "$mode" = dnsrps || return
...@@ -150,8 +152,10 @@ dnsrps_loaded() { ...@@ -150,8 +152,10 @@ dnsrps_loaded() {
} }
# check the serial number in an SOA to ensure that a policy zone has # check the serial number in an SOA to ensure that a policy zone has
# been (re)loaded # been (re)loaded
# $1=serial number $2=domain $3=DNS server # $1=serial number
# $2=domain
# $3=DNS server
ck_soa() { ck_soa() {
n=0 n=0
while true; do while true; do
...@@ -186,6 +190,9 @@ load_db () { ...@@ -186,6 +190,9 @@ load_db () {
fi fi
} }
# restart name server
# $1 ns number
# $2 rebuild bl rpz zones if "rebuild-bl-rpz"
restart () { restart () {
# try to ensure that the server really has stopped # try to ensure that the server really has stopped
# and won't mess with ns$1/name.pid # and won't mess with ns$1/name.pid
...@@ -201,17 +208,20 @@ restart () { ...@@ -201,17 +208,20 @@ restart () {
fi fi
fi fi
rm -f ns$1/*.jnl rm -f ns$1/*.jnl
if test -f ns$1/base.db; then if [ "$2" == "rebuild-bl-rpz" ]; then
for NM in ns$1/bl*.db; do if test -f ns$1/base.db; then
cp -f ns$1/base.db $NM for NM in ns$1/bl*.db; do
done cp -f ns$1/base.db $NM
done
fi
fi fi
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} rpz ns$1 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} rpz ns$1
load_db load_db
dnsrps_loaded dnsrps_loaded
} }
# $1=server and irrelevant args $2=error message # $1=server and irrelevant args
# $2=error message
ckalive () { ckalive () {
CKALIVE_NS=`expr "$1" : '.*@ns\([1-9]\).*'` CKALIVE_NS=`expr "$1" : '.*@ns\([1-9]\).*'`
if test -z "$CKALIVE_NS"; then if test -z "$CKALIVE_NS"; then
...@@ -222,7 +232,7 @@ ckalive () { ...@@ -222,7 +232,7 @@ ckalive () {
HAVE_CORE=yes HAVE_CORE=yes
setret "$2" setret "$2"
# restart the server to avoid stalling waiting for it to stop # restart the server to avoid stalling waiting for it to stop
restart $CKALIVE_NS restart $CKALIVE_NS "rebuild-bl-rpz"
return 1 return 1
} }
...@@ -264,7 +274,8 @@ ckstatsrange () { ...@@ -264,7 +274,8 @@ ckstatsrange () {
eval "${NSDIR}_CNT=$NEW_CNT" eval "${NSDIR}_CNT=$NEW_CNT"
} }
# $1=message $2=optional test file name # $1=message
# $2=optional test file name
start_group () { start_group () {
ret=0 ret=0
t=`expr $t + 1` t=`expr $t + 1`
...@@ -299,7 +310,8 @@ clean_result () { ...@@ -299,7 +310,8 @@ clean_result () {
fi fi
} }
# $1=dig args $2=other dig output file # $1=dig args
# $2=other dig output file
ckresult () { ckresult () {
#ckalive "$1" "server crashed by 'dig $1'" || return 1 #ckalive "$1" "server crashed by 'dig $1'" || return 1
if grep "flags:.* aa .*ad;" $DIGNM; then if grep "flags:.* aa .*ad;" $DIGNM; then
...@@ -322,7 +334,8 @@ ckresult () { ...@@ -322,7 +334,8 @@ ckresult () {
} }
# check only that the server does not crash # check only that the server does not crash
# $1=target domain $2=optional query type # $1=target domain
# $2=optional query type
nocrash () { nocrash () {
digcmd $* >/dev/null digcmd $* >/dev/null
ckalive "$*" "server crashed by 'dig $*'" ckalive "$*" "server crashed by 'dig $*'"
...@@ -330,7 +343,8 @@ nocrash () { ...@@ -330,7 +343,8 @@ nocrash () {
# check rewrite to NXDOMAIN # check rewrite to NXDOMAIN
# $1=target domain $2=optional query type # $1=target domain
# $2=optional query type
nxdomain () { nxdomain () {
make_dignm make_dignm
digcmd $* \ digcmd $* \
...@@ -341,7 +355,8 @@ nxdomain () { ...@@ -341,7 +355,8 @@ nxdomain () {
} }
# check rewrite to NODATA # check rewrite to NODATA
# $1=target domain $2=optional query type # $1=target domain
# $2=optional query type
nodata () { nodata () {
make_dignm make_dignm
digcmd $* \ digcmd $* \
...@@ -351,7 +366,9 @@ nodata () { ...@@ -351,7 +366,9 @@ nodata () {
# check rewrite to an address # check rewrite to an address
# modify the output so that it is easily compared, but save the original line # modify the output so that it is easily compared, but save the original line
# $1=IPv4 address $2=digcmd args $3=optional TTL # $1=IPv4 address
# $2=digcmd args
# $3=optional TTL
addr () { addr () {
ADDR=$1 ADDR=$1
make_dignm make_dignm
...@@ -373,7 +390,8 @@ addr () { ...@@ -373,7 +390,8 @@ addr () {
# Check that a response is not rewritten # Check that a response is not rewritten
# Use $ns1 instead of the authority for most test domains, $ns2 to prevent # Use $ns1 instead of the authority for most test domains, $ns2 to prevent
# spurious differences for `dig +norecurse` # spurious differences for `dig +norecurse`
# $1=optional "TCP" remaining args for dig # $1=optional "TCP"
# remaining args for dig
nochange () { nochange () {
make_dignm make_dignm
digcmd $* >$DIGNM digcmd $* >$DIGNM
...@@ -455,102 +473,104 @@ for mode in native dnsrps; do ...@@ -455,102 +473,104 @@ for mode in native dnsrps; do
digcmd txt-only.tld2 @$ns2 >proto.nodata digcmd txt-only.tld2 @$ns2 >proto.nodata
start_group "QNAME rewrites" test1 start_group "QNAME rewrites" test1
nochange . # 1 do not crash or rewrite root nochange . # 1 do not crash or rewrite root
nxdomain a0-1.tld2 # 2 nxdomain a0-1.tld2 # 2
nodata a3-1.tld2 # 3 nodata a3-1.tld2 # 3
nodata a3-2.tld2 # 4 nodata at DNAME itself nodata a3-2.tld2 # 4 nodata at DNAME itself
nochange sub.a3-2.tld2 # 5 miss where DNAME might work nochange sub.a3-2.tld2 # 5 miss where DNAME might work
nxdomain a4-2.tld2 # 6 rewrite based on CNAME target nxdomain a4-2.tld2 # 6 rewrite based on CNAME target
nxdomain a4-2-cname.tld2 # 7 nxdomain a4-2-cname.tld2 # 7
nodata a4-3-cname.tld2 # 8 nodata a4-3-cname.tld2 # 8
addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement
addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard
addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME
addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain
addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone
nochange a6-1.tld2 # 14 nochange a6-1.tld2 # 14
addr 127.6.2.1 a6-2.tld2 # 15 addr 127.6.2.1 a6-2.tld2 # 15
addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME
addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME
addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain
addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain
nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required
nochange a5-3.tld2 +norecurse # 21 nochange a5-3.tld2 +norecurse # 21
nochange a5-4.tld2 +norecurse # 22 nochange a5-4.tld2 +norecurse # 22
nochange sub.a5-4.tld2 +norecurse # 23 nochange sub.a5-4.tld2 +norecurse # 23
nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c
nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures
nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures
nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures
nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain
nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain
nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record
nxdomain a0-1.tld2s srv +nodnssec # 31 nxdomain a0-1.tld2s srv +nodnssec # 31
drop a3-8.tld2 any # 32 drop drop a3-8.tld2 any # 32 drop
nochange tcp a3-9.tld2 # 33 tcp-only nochange tcp a3-9.tld2 # 33 tcp-only
here x.servfail <<'EOF' # 34 qname-wait-recurse yes here x.servfail <<'EOF' # 34 qname-wait-recurse yes
;; status: SERVFAIL, x ;; status: SERVFAIL, x
EOF EOF
addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no
end_group end_group
ckstats $ns3 test1 ns3 22 ckstats $ns3 test1 ns3 22
ckstats $ns5 test1 ns5 1 ckstats $ns5 test1 ns5 1
ckstats $ns6 test1 ns6 0 ckstats $ns6 test1 ns6 0
start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 start_group "NXDOMAIN/NODATA action on QNAME trigger" test1
nxdomain a0-1.tld2 @$ns6 # 1 nxdomain a0-1.tld2 @$ns6 # 1
nodata a3-1.tld2 @$ns6 # 2 nodata a3-1.tld2 @$ns6 # 2
nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself
nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target
nxdomain a4-2-cname.tld2 @$ns6 # 5 nxdomain a4-2-cname.tld2 @$ns6 # 5
nodata a4-3-cname.tld2 @$ns6 # 6 nodata a4-3-cname.tld2 @$ns6 # 6
addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement
addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard
addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone
addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME
addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain
addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12
addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME
addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME
addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain
addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain
nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c
nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs
nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19
drop a3-8.tld2 any @$ns6 # 20 drop drop a3-8.tld2 any @$ns6 # 20 drop
end_group end_group
ckstatsrange $ns3 test1 ns3 22 30 ckstatsrange $ns3 test1 ns3 22 30
ckstats $ns5 test1 ns5 0 ckstats $ns5 test1 ns5 0
ckstats $ns6 test1 ns6 0 ckstats $ns6 test1 ns6 0
start_group "IP rewrites" test2 start_group "IP rewrites" test2
nodata a3-1.tld2 # 1 NODATA nodata a3-1.tld2 # 1 NODATA
nochange a3-2.tld2 # 2 no policy record so no change nochange a3-2.tld2 # 2 no policy record so no change
nochange a4-1.tld2 # 3 obsolete PASSTHRU record style nochange a4-1.tld2 # 3 obsolete PASSTHRU record style
nxdomain a4-2.tld2 # 4 nxdomain a4-2.tld2 # 4
nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite
nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite
nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite
nodata a4-3.tld2 # 8 nodata a4-3.tld2 # 8
nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy
nochange a4-1-aaaa.tld2 -taaaa # 10 nochange a4-1-aaaa.tld2 -taaaa # 10
addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address
addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone
nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14
addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP
nochange a4-4.tld2 # 15 PASSTHRU nochange a4-4.tld2 # 15 PASSTHRU
nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c
addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger
nxdomain a7-1.tld2 # 18 slave policy zone (RT34450) nxdomain a7-1.tld2 # 18 slave policy zone (RT34450)
# updating an response zone policy
cp ns2/blv2.tld2.db.in ns2/bl.tld2.db cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
rndc_reload ns2 $ns2 bl.tld2 rndc_reload ns2 $ns2 bl.tld2
ck_soa 2 bl.tld2 $ns3 ck_soa 2 bl.tld2 $ns3
nochange a7-1.tld2 # 19 PASSTHRU nochange a7-1.tld2 # 19 PASSTHRU
sleep 1 # ensure that a clock tick has occured so that named will do the reload # ensure that a clock tick has occured so that named will do the reload
sleep 1
cp ns2/blv3.tld2.db.in ns2/bl.tld2.db cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
rndc_reload ns2 $ns2 bl.tld2 rndc_reload ns2 $ns2 bl.tld2
ck_soa 3 bl.tld2 $ns3 ck_soa 3 bl.tld2 $ns3
nxdomain a7-1.tld2 # 20 slave policy zone (RT34450) nxdomain a7-1.tld2 # 20 slave policy zone (RT34450)
end_group end_group
ckstats $ns3 test2 ns3 12 ckstats $ns3 test2 ns3 12
...@@ -572,20 +592,20 @@ EOF ...@@ -572,20 +592,20 @@ EOF
# these tests assume "min-ns-dots 0" # these tests assume "min-ns-dots 0"
start_group "NSDNAME rewrites" test3 start_group "NSDNAME rewrites" test3
nochange a3-1.tld2 # 1 nochange a3-1.tld2 # 1
nochange a3-1.tld2 +dnssec # 2 this once caused problems nochange a3-1.tld2 +dnssec # 2 this once caused problems
nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME
nxdomain a3-1.subsub.sub1.tld2 nxdomain a3-1.subsub.sub1.tld2 # 4
nxdomain a3-1.subsub.sub1.tld2 -tany nxdomain a3-1.subsub.sub1.tld2 -tany # 5
addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2
nochange a3-2.tld2. # 7 exempt rewrite by name nochange a3-2.tld2. # 7 exempt rewrite by name
nochange a0-1.tld2. # 8 exempt rewrite by address block nochange a0-1.tld2. # 8 exempt rewrite by address block
addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME
addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME
addr 127.0.0.2 a3-1.subsub.sub3.tld2 addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11
nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash
if [ "$mode" = dnsrps ]; then if [ "$mode" = dnsrps ]; then
addr 12.12.12.12 as-ns.tld5. # 13 qname-as-ns addr 12.12.12.12 as-ns.tld5. # 13 qname-as-ns
fi fi
end_group end_group
if [ "$mode" = dnsrps ]; then if [ "$mode" = dnsrps ]; then
...@@ -596,19 +616,19 @@ EOF ...@@ -596,19 +616,19 @@ EOF
# these tests assume "min-ns-dots 0" # these tests assume "min-ns-dots 0"
start_group "NSIP rewrites" test4 start_group "NSIP rewrites" test4
nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2
nochange a3-2.tld2. # 2 exempt rewrite by name nochange a3-2.tld2. # 2 exempt rewrite by name
nochange a0-1.tld2. # 3 exempt rewrite by address block nochange a0-1.tld2. # 3 exempt rewrite by address block
nochange a3-1.tld4 # 4 different NS IP address nochange a3-1.tld4 # 4 different NS IP address
if [ "$mode" = dnsrps ]; then if [ "$mode" = dnsrps ]; then
addr 12.12.12.12 as-ns.tld5. # 5 ip-as-ns addr 12.12.12.12 as-ns.tld5. # 5 ip-as-ns
fi fi
end_group end_group
start_group "walled garden NSIP rewrites" test4a