1#! /bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16# Say on stdout whether to test DNSRPS 17# and create dnsrps.conf and dnsrps-slave.conf 18# Note that dnsrps.conf and dnsrps-slave.conf are included in named.conf 19# and differ from dnsrpz.conf which is used by dnsrpzd. 20 21 22SYSTEMTESTTOP=.. 23. $SYSTEMTESTTOP/conf.sh 24 25DNSRPS_CMD=../rpz/dnsrps 26 27AS_NS= 28TEST_DNSRPS= 29MCONF=dnsrps.conf 30SCONF=dnsrps-slave.conf 31USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-slave.conf]" 32while getopts "xADM:S:" c; do 33 case $c in 34 x) set -x; DEBUG=-x;; 35 A) AS_NS=yes;; 36 D) TEST_DNSRPS=yes;; 37 M) MCONF="$OPTARG";; 38 S) SCONF="$OPTARG";; 39 *) echo "$USAGE" 1>&2; exit 1;; 40 esac 41done 42shift `expr $OPTIND - 1 || true` 43if [ "$#" -ne 0 ]; then 44 echo "$USAGE" 1>&2 45 exit 1 46fi 47 48# erase any existing conf files 49cat /dev/null > $MCONF 50cat /dev/null > $SCONF 51 52add_conf () { 53 echo "$*" >>$MCONF 54 echo "$*" >>$SCONF 55} 56 57if ! $FEATURETEST --enable-dnsrps; then 58 if [ -n "$TEST_DNSRPS" ]; then 59 add_conf "## DNSRPS disabled at compile time" 60 fi 61 add_conf "#skip" 62 exit 0 63fi 64 65if [ -z "$TEST_DNSRPS" ]; then 66 add_conf "## testing with native RPZ" 67 add_conf '#skip' 68 exit 0 69else 70 add_conf "## testing with DNSRPS" 71fi 72 73if [ ! -x $DNSRPS_CMD ]; then 74 add_conf "## make $DNSRPS_CMD to test DNSRPS" 75 add_conf '#skip' 76 exit 0 77fi 78 79if $DNSRPS_CMD -a >/dev/null; then : 80else 81 add_conf "## DNSRPS provider library is not available" 82 add_conf '#skip' 83 exit 0 84fi 85 86CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf 87 dnsrpzd-sock ../dnsrpzd.sock 88 dnsrpzd-rpzf ../dnsrpzd.rpzf 89 dnsrpzd-args '-dddd -L stdout' 90 log-level 3" 91 92MASTER="$CMN" 93if [ -n "$AS_NS" ]; then 94 MASTER="$MASTER 95 qname-as-ns yes 96 ip-as-ns yes" 97fi 98 99# write dnsrps settings for master resolver 100cat <<EOF >>$MCONF 101$MASTER }; 102EOF 103 104# write dnsrps settings for resolvers that should not start dnsrpzd 105cat <<EOF >>$SCONF 106$CMN 107 dnsrpzd '' }; # do not start dnsrpzd 108EOF 109 110 111# DNSRPS is available. 112# The test should fail if the license is bad. 113add_conf "dnsrps-enable yes;" 114 115# Use alt-dnsrpzd-license.conf if it exists 116CUR_L=dnsrpzd-license-cur.conf 117ALT_L=alt-dnsrpzd-license.conf 118# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist 119[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf 120if [ -s $ALT_L ]; then 121 SRC_L=$ALT_L 122 USE_ALT= 123else 124 SRC_L=../rpz/dnsrpzd-license.conf 125 USE_ALT="## consider installing alt-dnsrpzd-license.conf" 126fi 127cp $SRC_L $CUR_L 128 129# parse $CUR_L for the license zone name, master IP addresses, and optional 130# transfer-source IP addresses 131eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\ 132 -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ 133 -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ 134 -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ 135 -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ 136 -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ 137 -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ 138 $CUR_L` 139if [ -z "$NAME" ]; then 140 add_conf "## no DNSRPS tests; no license domain name in $SRC_L" 141 add_conf '#fail' 142 exit 0 143fi 144if [ -z "$IPV4" ]; then 145 IPV4=license1.fastrpz.com 146 TS4= 147fi 148if [ -z "$IPV6" ]; then 149 IPV6=license1.fastrpz.com 150 TS6= 151fi 152 153# This TSIG key is common and NOT a secret 154KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1' 155 156# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems 157if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ 158 | grep -i "^$NAME.*TXT" >/dev/null`; then 159 exit 0 160fi 161if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ 162 | grep -i "^$NAME.*TXT" >/dev/null`; then 163 exit 0 164fi 165 166add_conf "## DNSRPS lacks a valid license via $SRC_L" 167[ -z "$USE_ALT" ] || add_conf "$USE_ALT" 168add_conf '#fail' 169