1# Copyright (C) 2011-2015 Internet Systems Consortium, Inc. ("ISC") 2# 3# Permission to use, copy, modify, and/or distribute this software for any 4# purpose with or without fee is hereby granted, provided that the above 5# copyright notice and this permission notice appear in all copies. 6# 7# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 8# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 9# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 10# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 11# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 12# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 13# PERFORMANCE OF THIS SOFTWARE. 14 15# Id 16 17 18# test response policy zones (RPZ) 19 20SYSTEMTESTTOP=.. 21. $SYSTEMTESTTOP/conf.sh 22 23ns=10.53.0 24ns1=$ns.1 # root, defining the others 25ns2=$ns.2 # authoritative server whose records are rewritten 26ns3=$ns.3 # main rewriting resolver 27ns4=$ns.4 # another authoritative server that is rewritten 28ns5=$ns.5 # another rewriting resolver 29ns6=$ns.6 # a forwarding server 30ns7=$ns.7 # another rewriting resolver 31 32HAVE_CORE= 33SAVE_RESULTS= 34 35 36USAGE="$0: [-x]" 37while getopts "x" c; do 38 case $c in 39 x) set -x;; 40 *) echo "$USAGE" 1>&2; exit 1;; 41 esac 42done 43shift `expr $OPTIND - 1 || true` 44if test "$#" -ne 0; then 45 echo "$USAGE" 1>&2 46 exit 1 47fi 48# really quit on control-C 49trap 'exit 1' 1 2 15 50 51TS='%H:%M:%S ' 52TS= 53comment () { 54 if test -n "$TS"; then 55 date "+I:${TS}$*" 56 fi 57} 58 59RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s" 60 61digcmd () { 62 if test "$1" = TCP; then 63 shift 64 fi 65 # Default to +noauth and @$ns3 66 # Also default to -bX where X is the @value so that OS X will choose 67 # the right IP source address. 68 digcmd_args=`echo "+noadd +time=2 +tries=1 -p 5300 $*" | \ 69 sed -e "/@/!s/.*/& @$ns3/" \ 70 -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ 71 -e '/+n?o?auth/!s/.*/+noauth &/'` 72 #echo I:dig $digcmd_args 1>&2 73 $DIG $digcmd_args 74} 75 76# set DIGNM=file name for dig output 77GROUP_NM= 78TEST_NUM=0 79make_dignm () { 80 TEST_NUM=`expr $TEST_NUM + 1` 81 DIGNM=dig.out$GROUP_NM-$TEST_NUM 82 while test -f $DIGNM; do 83 TEST_NUM="$TEST_NUM+" 84 DIGNM=dig.out$GROUP_NM-$TEST_NUM 85 done 86} 87 88setret () { 89 ret=1 90 status=`expr $status + 1` 91 echo "$*" 92} 93 94# (re)load the reponse policy zones with the rules in the file $TEST_FILE 95load_db () { 96 if test -n "$TEST_FILE"; then 97 if $NSUPDATE -v $TEST_FILE; then : 98 $RNDCCMD $ns3 sync 99 else 100 echo "I:failed to update policy zone with $TEST_FILE" 101 $RNDCCMD $ns3 sync 102 exit 1 103 fi 104 fi 105} 106 107restart () { 108 # try to ensure that the server really has stopped 109 # and won't mess with ns$1/name.pid 110 if test -z "$HAVE_CORE" -a -f ns$1/named.pid; then 111 $RNDCCMD $ns$1 halt >/dev/null 2>&1 112 if test -f ns$1/named.pid; then 113 sleep 1 114 PID=`cat ns$1/named.pid 2>/dev/null` 115 if test -n "$PID"; then 116 echo "I:killing ns$1 server $PID" 117 kill -9 $PID 118 fi 119 fi 120 fi 121 rm -f ns$1/*.jnl 122 if test -f ns$1/base.db; then 123 for NM in ns$1/bl*.db; do 124 cp -f ns$1/base.db $NM 125 done 126 fi 127 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns$1 128 load_db 129} 130 131# $1=server and irrelevant args $2=error message 132ckalive () { 133 CKALIVE_NS=`expr "$1" : '.*@ns\([1-9]\).*'` 134 if test -z "$CKALIVE_NS"; then 135 CKALIVE_NS=3 136 fi 137 eval CKALIVE_IP=\$ns$CKALIVE_NS 138 $RNDCCMD $CKALIVE_IP status >/dev/null 2>&1 && return 0 139 HAVE_CORE=yes 140 setret "$2" 141 # restart the server to avoid stalling waiting for it to stop 142 restart $CKALIVE_NS 143 return 1 144} 145 146ckstats () { 147 HOST=$1 148 LABEL="$2" 149 NSDIR="$3" 150 EXPECTED="$4" 151 $RNDCCMD $HOST stats 152 NEW_CNT=0`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ 153 $NSDIR/named.stats | tail -1` 154 eval "OLD_CNT=0\$${NSDIR}_CNT" 155 GOT=`expr $NEW_CNT - $OLD_CNT` 156 if test "$GOT" -ne "$EXPECTED"; then 157 setret "I:wrong $LABEL $NSDIR statistics of $GOT instead of $EXPECTED" 158 fi 159 eval "${NSDIR}_CNT=$NEW_CNT" 160} 161 162ckstatsrange () { 163 HOST=$1 164 LABEL="$2" 165 NSDIR="$3" 166 MIN="$4" 167 MAX="$5" 168 $RNDCCMD $HOST stats 169 NEW_CNT=0`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ 170 $NSDIR/named.stats | tail -1` 171 eval "OLD_CNT=0\$${NSDIR}_CNT" 172 GOT=`expr $NEW_CNT - $OLD_CNT` 173 if test "$GOT" -lt "$MIN" -o "$GOT" -gt "$MAX"; then 174 setret "I:wrong $LABEL $NSDIR statistics of $GOT instead of ${MIN}..${MAX}" 175 fi 176 eval "${NSDIR}_CNT=$NEW_CNT" 177} 178 179# $1=message $2=optional test file name 180start_group () { 181 ret=0 182 test -n "$1" && date "+I:${TS}checking $1" 183 TEST_FILE=$2 184 if test -n "$TEST_FILE"; then 185 GROUP_NM="-$TEST_FILE" 186 load_db 187 else 188 GROUP_NM= 189 fi 190 TEST_NUM=0 191} 192 193end_group () { 194 if test -n "$TEST_FILE"; then 195 # remove the previous set of test rules 196 sed -e 's/[ ]add[ ]/ delete /' $TEST_FILE | $NSUPDATE 197 TEST_FILE= 198 fi 199 ckalive $ns3 "I:failed; ns3 server crashed and restarted" 200 GROUP_NM= 201} 202 203clean_result () { 204 if test -z "$SAVE_RESULTS"; then 205 rm -f $* 206 fi 207} 208 209# $1=dig args $2=other dig output file 210ckresult () { 211 #ckalive "$1" "I:server crashed by 'dig $1'" || return 1 212 if grep "flags:.* aa .*ad;" $DIGNM; then 213 setret "I:'dig $1' AA and AD set;" 214 elif grep "flags:.* aa .*ad;" $DIGNM; then 215 setret "I:'dig $1' AD set;" 216 fi 217 if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then 218 NEED_TCP=`echo "$1" | sed -n -e 's/[Tt][Cc][Pp].*/TCP/p'` 219 RESULT_TCP=`sed -n -e 's/.*Truncated, retrying in TCP.*/TCP/p' $DIGNM` 220 if test "$NEED_TCP" != "$RESULT_TCP"; then 221 setret "I:'dig $1' wrong; no or unexpected truncation in $DIGNM" 222 return 1 223 fi 224 clean_result ${DIGNM}* 225 return 0 226 fi 227 setret "I:'dig $1' wrong; diff $DIGNM $2" 228 return 1 229} 230 231# check only that the server does not crash 232# $1=target domain $2=optional query type 233nocrash () { 234 digcmd $* >/dev/null 235 ckalive "$*" "I:server crashed by 'dig $*'" 236} 237 238 239# check rewrite to NXDOMAIN 240# $1=target domain $2=optional query type 241nxdomain () { 242 make_dignm 243 digcmd $* \ 244 | sed -e 's/^[a-z].* IN CNAME /;xxx &/' \ 245 -e 's/^[a-z].* IN RRSIG /;xxx &/' \ 246 >$DIGNM 247 ckresult "$*" proto.nxdomain 248} 249 250# check rewrite to NODATA 251# $1=target domain $2=optional query type 252nodata () { 253 make_dignm 254 digcmd $* \ 255 | sed -e 's/^[a-z].* IN CNAME /;xxx &/' >$DIGNM 256 ckresult "$*" proto.nodata 257} 258 259# check rewrite to an address 260# modify the output so that it is easily compared, but save the original line 261# $1=IPv4 address $2=digcmd args $3=optional TTL 262addr () { 263 ADDR=$1 264 make_dignm 265 digcmd $2 >$DIGNM 266 #ckalive "$2" "I:server crashed by 'dig $2'" || return 1 267 ADDR_ESC=`echo "$ADDR" | sed -e 's/\./\\\\./g'` 268 ADDR_TTL=`sed -n -e "s/^[-.a-z0-9]\{1,\} *\([0-9]*\) IN AA* ${ADDR_ESC}\$/\1/p" $DIGNM` 269 if test -z "$ADDR_TTL"; then 270 setret "I:'dig $2' wrong; no address $ADDR record in $DIGNM" 271 return 1 272 fi 273 if test -n "$3" && test "$ADDR_TTL" -ne "$3"; then 274 setret "I:'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM" 275 return 1 276 fi 277 clean_result ${DIGNM}* 278} 279 280# Check that a response is not rewritten 281# Use $ns1 instead of the authority for most test domains, $ns2 to prevent 282# spurious differences for `dig +norecurse` 283# $1=optional "TCP" remaining args for dig 284nochange () { 285 make_dignm 286 digcmd $* >$DIGNM 287 digcmd $* @$ns1 >${DIGNM}_OK 288 ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK 289} 290 291# check against a 'here document' 292here () { 293 make_dignm 294 sed -e 's/^[ ]*//' >${DIGNM}_OK 295 digcmd $* >$DIGNM 296 ckresult "$*" ${DIGNM}_OK 297} 298 299# check dropped response 300DROPPED='^;; connection timed out; no servers could be reached' 301drop () { 302 make_dignm 303 digcmd $* >$DIGNM 304 if grep "$DROPPED" $DIGNM >/dev/null; then 305 clean_result ${DIGNM}* 306 return 0 307 fi 308 setret "I:'dig $1' wrong; response in $DIGNM" 309 return 1 310} 311 312 313# make prototype files to check against rewritten results 314digcmd nonexistent @$ns2 >proto.nxdomain 315digcmd txt-only.tld2 @$ns2 >proto.nodata 316 317 318status=0 319 320start_group "QNAME rewrites" test1 321nochange . # 1 do not crash or rewrite root 322nxdomain a0-1.tld2 # 2 323nodata a3-1.tld2 # 3 324nodata a3-2.tld2 # 4 nodata at DNAME itself 325nochange sub.a3-2.tld2 # 5 miss where DNAME might work 326nxdomain a4-2.tld2 # 6 rewrite based on CNAME target 327nxdomain a4-2-cname.tld2 # 7 328nodata a4-3-cname.tld2 # 8 329addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement 330addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard 331addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME 332addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain 333addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone 334nochange a6-1.tld2 # 14 335addr 127.6.2.1 a6-2.tld2 # 15 336addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME 337addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME 338addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain 339addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain 340nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required 341nochange a5-3.tld2 +norecurse # 21 342nochange a5-4.tld2 +norecurse # 22 343nochange sub.a5-4.tld2 +norecurse # 23 344nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c 345nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures 346nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures 347nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures 348nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain 349nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain 350nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record 351nxdomain a0-1.tld2s srv +nodnssec # 31 352drop a3-8.tld2 any # 32 drop 353nochange tcp a3-9.tld2 # 33 tcp-only 354here x.servfail <<'EOF' # 34 qname-wait-recurse yes 355 ;; status: SERVFAIL, x 356EOF 357addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no 358end_group 359ckstats $ns3 test1 ns3 22 360ckstats $ns5 test1 ns5 1 361ckstats $ns6 test1 ns6 0 362 363start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 364nxdomain a0-1.tld2 @$ns6 # 1 365nodata a3-1.tld2 @$ns6 # 2 366nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself 367nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target 368nxdomain a4-2-cname.tld2 @$ns6 # 5 369nodata a4-3-cname.tld2 @$ns6 # 6 370addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement 371addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard 372addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone 373addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME 374addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain 375addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 376addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME 377addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME 378addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain 379addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain 380nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c 381nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs 382nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 383drop a3-8.tld2 any @$ns6 # 20 drop 384 385end_group 386ckstatsrange $ns3 test1 ns3 22 25 387ckstats $ns5 test1 ns5 0 388ckstats $ns6 test1 ns6 0 389 390start_group "IP rewrites" test2 391nodata a3-1.tld2 # 1 NODATA 392nochange a3-2.tld2 # 2 no policy record so no change 393nochange a4-1.tld2 # 3 obsolete PASSTHRU record style 394nxdomain a4-2.tld2 # 4 395nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite 396nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite 397nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite 398nodata a4-3.tld2 # 8 399nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy 400nochange a4-1-aaaa.tld2 -taaaa # 10 401addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address 402addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone 403nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 404addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP 405nochange a4-4.tld2 # 15 PASSTHRU 406nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c 407addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger 408nxdomain a7-1.tld2 # 18 slave policy zone (RT34450) 409cp ns2/blv2.tld2.db.in ns2/bl.tld2.db 410$RNDCCMD 10.53.0.2 reload bl.tld2 411goodsoa="rpz.tld2. hostmaster.ns.tld2. 2 3600 1200 604800 60" 412for i in 0 1 2 3 4 5 6 7 8 9 10 413do 414 soa=`$DIG -p 5300 +short soa bl.tld2 @10.53.0.3 -b10.53.0.3` 415 test "$soa" = "$goodsoa" && break 416 sleep 1 417done 418nochange a7-1.tld2 # 19 PASSTHRU 419sleep 1 # ensure that a clock tick has occured so that the reload takes effect 420cp ns2/blv3.tld2.db.in ns2/bl.tld2.db 421goodsoa="rpz.tld2. hostmaster.ns.tld2. 3 3600 1200 604800 60" 422$RNDCCMD 10.53.0.2 reload bl.tld2 423for i in 0 1 2 3 4 5 6 7 8 9 10 424do 425 soa=`$DIG -p 5300 +short soa bl.tld2 @10.53.0.3 -b10.53.0.3` 426 test "$soa" = "$goodsoa" && break 427 sleep 1 428done 429nxdomain a7-1.tld2 # 20 slave policy zone (RT34450) 430end_group 431ckstats $ns3 test2 ns3 12 432 433# check that IP addresses for previous group were deleted from the radix tree 434start_group "radix tree deletions" 435nochange a3-1.tld2 436nochange a3-2.tld2 437nochange a4-1.tld2 438nochange a4-2.tld2 439nochange a4-2.tld2 -taaaa 440nochange a4-2.tld2 -ttxt 441nochange a4-2.tld2 -tany 442nochange a4-3.tld2 443nochange a3-1.tld2 -tAAAA 444nochange a4-1-aaaa.tld2 -tAAAA 445nochange a5-1-2.tld2 446end_group 447ckstats $ns3 'radix tree deletions' ns3 0 448 449if ./rpz nsdname; then 450 # these tests assume "min-ns-dots 0" 451 start_group "NSDNAME rewrites" test3 452 nochange a3-1.tld2 # 1 453 nochange a3-1.tld2 +dnssec # 2 this once caused problems 454 nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME 455 nxdomain a3-1.subsub.sub1.tld2 456 nxdomain a3-1.subsub.sub1.tld2 -tany 457 addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 458 nochange a3-2.tld2. # 7 exempt rewrite by name 459 nochange a0-1.tld2. # 8 exempt rewrite by address block 460 addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME 461 addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME 462 addr 127.0.0.2 a3-1.subsub.sub3.tld2 463 nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash 464 end_group 465 ckstats $ns3 test3 ns3 7 466else 467 echo "I:NSDNAME not checked; named configured with --disable-rpz-nsdname" 468fi 469 470if ./rpz nsip; then 471 # these tests assume "min-ns-dots 0" 472 start_group "NSIP rewrites" test4 473 nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 474 nochange a3-2.tld2. # 2 exempt rewrite by name 475 nochange a0-1.tld2. # 3 exempt rewrite by address block 476 nochange a3-1.tld4 # 4 different NS IP address 477 end_group 478 479 start_group "walled garden NSIP rewrites" test4a 480 addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 481 addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 482 here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 483 ;; status: NOERROR, x 484 a3-1.tld2. x IN TXT "NSIP walled garden" 485EOF 486 end_group 487 ckstats $ns3 test4 ns3 4 488else 489 echo "I:NSIP not checked; named configured with --disable-rpz-nsip" 490fi 491 492# policies in ./test5 overridden by response-policy{} in ns3/named.conf 493# and in ns5/named.conf 494start_group "policy overrides" test5 495addr 127.0.0.1 a3-1.tld2 # 1 bl-given 496nochange a3-2.tld2 # 2 bl-passthru 497nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru 498nochange a3-4.tld2 # 4 bl-disabled 499nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no 500nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no 501nodata a3-5.tld2 # 7 bl-nodata not needed 502nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no 503nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec 504nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec 505nxdomain a3-6.tld2 # 11 bl-nxdomain 506here a3-7.tld2 -tany <<'EOF' 507 ;; status: NOERROR, x 508 a3-7.tld2. x IN CNAME txt-only.tld2. 509 txt-only.tld2. x IN TXT "txt-only-tld2" 510EOF 511addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname 512addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname 513addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 514addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 515addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 516drop a3-18.tld2 any # 18 bl-drop 517nxdomain TCP a3-19.tld2 # 19 bl-tcp-only 518end_group 519ckstats $ns3 test5 ns3 12 520ckstats $ns5 test5 ns5 4 521 522 523# check that miscellaneous bugs are still absent 524start_group "crashes" test6 525for Q in RRSIG SIG ANY 'ANY +dnssec'; do 526 nocrash a3-1.tld2 -t$Q 527 nocrash a3-2.tld2 -t$Q 528 nocrash a3-5.tld2 -t$Q 529 nocrash www.redirect -t$Q 530 nocrash www.credirect -t$Q 531done 532 533# This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip 534# (or whatever) is available by publishing "foo A 10.2.3.4" and then 535# resolving foo. 536# nxdomain 32.3.2.1.127.rpz-ip 537end_group 538ckstats $ns3 bugs ns3 8 539 540 541 542# superficial test for major performance bugs 543QPERF=`sh qperf.sh` 544if test -n "$QPERF"; then 545 perf () { 546 date "+I:${TS}checking performance $1" 547 # Dry run to prime everything 548 comment "before dry run $1" 549 $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p 5300 >/dev/null 550 comment "before real test $1" 551 PFILE="ns5/$2.perf" 552 $RNDCCMD $ns5 notrace 553 $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p 5300 >$PFILE 554 comment "after test $1" 555 X=`sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \ 556 | tr '\n' ' '` 557 if test "$X" != "$3"; then 558 setret "I:wrong results '$X' in $PFILE" 559 fi 560 ckalive $ns5 "I:failed; server #5 crashed" 561 } 562 trim () { 563 sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf 564 } 565 566 # get qps with rpz 567 perf 'with RPZ' rpz 'NOERROR:2900 NXDOMAIN:100 ' 568 RPZ=`trim rpz` 569 570 # turn off rpz and measure qps again 571 echo "# RPZ off" >ns5/rpz-switch 572 RNDCCMD_OUT=`$RNDCCMD $ns5 reload` 573 perf 'without RPZ' norpz 'NOERROR:3000 ' 574 NORPZ=`trim norpz` 575 576 PERCENT=`expr \( "$RPZ" \* 100 + \( $NORPZ / 2 \) \) / $NORPZ` 577 echo "I:$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ" 578 579 MIN_PERCENT=30 580 if test "$PERCENT" -lt $MIN_PERCENT; then 581 echo "I:$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps" 582 fi 583 584 if test "$PERCENT" -ge 100; then 585 echo "I:$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high" 586 fi 587 588 ckstats $ns5 performance ns5 200 589 590else 591 echo "I:performance not checked; queryperf not available" 592fi 593 594 595# restart the main test RPZ server to see if that creates a core file 596if test -z "$HAVE_CORE"; then 597 $PERL $SYSTEMTESTTOP/stop.pl . ns3 598 restart 3 599 HAVE_CORE=`find ns* -name '*core*' -print` 600 test -z "$HAVE_CORE" || setret "I:found $HAVE_CORE; memory leak?" 601fi 602 603# look for complaints from lib/dns/rpz.c and bin/name/query.c 604EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run` 605if test -n "$EMSGS"; then 606 setret "I:error messages in $EMSGS starting with:" 607 egrep 'invalid rpz|rpz.*failed' ns*/named.run | sed -e '10,$d' -e 's/^/I: /' 608fi 609 610echo "I:checking that ttl values are not zeroed when qtype is '*'" 611$DIG +noall +answer -p 5300 @$ns3 any a3-2.tld2 > dig.out.any 612ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.any` 613if test ${ttl:=0} -eq 0; then setret I:failed; fi 614 615echo "I:checking rpz updates/transfers with parent nodes added after children" 616# regression test for RT #36272: the success condition 617# is the slave server not crashing. 618nsd() { 619 $NSUPDATE -p 5300 << EOF 620server $1 621ttl 300 622update $2 $3 IN CNAME . 623update $2 $4 IN CNAME . 624send 625EOF 626 sleep 2 627} 628 629for i in 1 2 3 4 5; do 630 nsd $ns5 add example.com.policy1. '*.example.com.policy1.' 631 nsd $ns5 delete example.com.policy1. '*.example.com.policy1.' 632done 633for i in 1 2 3 4 5; do 634 nsd $ns5 add '*.example.com.policy1.' example.com.policy1. 635 nsd $ns5 delete '*.example.com.policy1.' example.com.policy1. 636done 637 638echo "I:checking that going from a empty policy zone works" 639nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. 640sleep 1 641$RNDCCMD $ns7 reload policy2 642$DIG z.x.servfail -p 5300 @$ns7 > dig.out.ns7 643grep NXDOMAIN dig.out.ns7 > /dev/null || setret I:failed; 644 645echo "I:exit status: $status" 646exit $status 647