packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bind/backport-0032-Add-test-cases-using-static-and-static-stub-zones.patch

309 lines
10 KiB
Diff
Raw Normal View History

backport bugfix patches
2022-12-26 15:55:21 +08:00
From 967e5e09cd80bd74f96ad49d65b564ac58023f0c Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 28 Mar 2022 16:36:03 +1100
Subject: [PATCH] Add test cases using static and static-stub zones
RPZ NSIP and NSDNAME checks were failing with "unrecognized NS
rpz_rrset_find() failed: glue" when static or static-stub zones
where used to resolve the query name.
Add tests using stub and static-stub zones that are expected to
be filtered and not-filtered against NSIP and NSDNAME rules.
stub and static-stub queries are expected to be filtered
stub-nomatch and static-stub-nomatch queries are expected to be passed
(cherry picked from commit 30cb70c82671e345810be546ffa902631b43d306)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/967e5e09cd80bd74f96ad49d65b564ac58023f0c
---
bin/tests/system/rpz/ns10/hints | 13 ++++++++
bin/tests/system/rpz/ns10/named.conf.in | 42 +++++++++++++++++++++++++
bin/tests/system/rpz/ns10/stub.db | 21 +++++++++++++
bin/tests/system/rpz/ns2/named.conf.in | 4 +++
bin/tests/system/rpz/ns2/stub.db | 20 ++++++++++++
bin/tests/system/rpz/ns3/named.conf.in | 20 ++++++++++++
bin/tests/system/rpz/setup.sh | 1 +
bin/tests/system/rpz/tests.sh | 37 ++++++++++++++++++----
8 files changed, 152 insertions(+), 6 deletions(-)
create mode 100644 bin/tests/system/rpz/ns10/hints
create mode 100644 bin/tests/system/rpz/ns10/named.conf.in
create mode 100644 bin/tests/system/rpz/ns10/stub.db
create mode 100644 bin/tests/system/rpz/ns2/stub.db
diff --git a/bin/tests/system/rpz/ns10/hints b/bin/tests/system/rpz/ns10/hints
new file mode 100644
index 0000000000..b657c3980e
--- /dev/null
+++ b/bin/tests/system/rpz/ns10/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 120 NS ns.
+ns. 120 A 10.53.0.1
diff --git a/bin/tests/system/rpz/ns10/named.conf.in b/bin/tests/system/rpz/ns10/named.conf.in
new file mode 100644
index 0000000000..b34ce79bb4
--- /dev/null
+++ b/bin/tests/system/rpz/ns10/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.10;
+ notify-source 10.53.0.10;
+ transfer-source 10.53.0.10;
+ port @PORT@;
+ pid-file "named.pid";
+ session-keyfile "session.key";
+ listen-on { 10.53.0.10; };
+ listen-on-v6 { none; };
+ notify no;
+ minimal-responses no;
+ recursion yes;
+ dnssec-validation yes;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+controls {
+ inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";
+zone "." { type hint; file "hints"; };
+
+# grafted on zones using stub and static-stub
+zone "stub-nomatch." {type primary; file "stub.db"; };
+zone "static-stub-nomatch." {type primary; file "stub.db"; };
diff --git a/bin/tests/system/rpz/ns10/stub.db b/bin/tests/system/rpz/ns10/stub.db
new file mode 100644
index 0000000000..8ecac8c2b2
--- /dev/null
+++ b/bin/tests/system/rpz/ns10/stub.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ rewrite responses from this zone
+
+$TTL 120
+@ SOA ns hostmaster.ns ( 1 3600 1200 604800 60 )
+ NS ns
+ns A 10.53.0.10
+
+a3-1 A 10.53.99.99
+
+a4-1 A 10.53.99.99
diff --git a/bin/tests/system/rpz/ns2/named.conf.in b/bin/tests/system/rpz/ns2/named.conf.in
index 48ab311a97..1dde354562 100644
--- a/bin/tests/system/rpz/ns2/named.conf.in
+++ b/bin/tests/system/rpz/ns2/named.conf.in
@@ -49,3 +49,7 @@ zone "tld2s." {type primary; file "tld2s.db";};
zone "bl.tld2." {type primary; file "bl.tld2.db";
notify yes; notify-delay 0;};
+
+# grafted on zones using stub and static-stub
+zone "stub." {type primary; file "stub.db"; };
+zone "static-stub." {type primary; file "stub.db"; };
diff --git a/bin/tests/system/rpz/ns2/stub.db b/bin/tests/system/rpz/ns2/stub.db
new file mode 100644
index 0000000000..e4b87817e7
--- /dev/null
+++ b/bin/tests/system/rpz/ns2/stub.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ rewrite responses from this zone
+
+$TTL 120
+@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+ NS ns.sub1.tld2.
+
+a3-1 A 10.53.99.99
+
+a4-1 A 10.53.99.99
diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in
index e5545a8720..30f08c804c 100644
--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@@ -128,3 +128,23 @@ zone "fast-expire." {
primaries { 10.53.0.5; };
notify no;
};
+
+zone "stub." {
+ type stub;
+ primaries { 10.53.0.2; };
+};
+
+zone "static-stub." {
+ type static-stub;
+ server-addresses { 10.53.0.2; };
+};
+
+zone "stub-nomatch." {
+ type stub;
+ primaries { 10.53.0.10; };
+};
+
+zone "static-stub-nomatch." {
+ type static-stub;
+ server-addresses { 10.53.0.10; };
+};
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index f9897b34de..fea43bdc36 100644
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -54,6 +54,7 @@ copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
copy_setports dnsrpzd.conf.in dnsrpzd.conf
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 56a7f2e683..9fc5d08cf2 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -28,6 +28,8 @@ ns5=$ns.5 # another rewriting resolver
ns6=$ns.6 # a forwarding server
ns7=$ns.7 # another rewriting resolver
ns8=$ns.8 # another rewriting resolver
+ns9=$ns.9 # another rewriting resolver
+ns10=$ns.10 # authoritative server
HAVE_CORE=
@@ -406,6 +408,13 @@ nochange () {
ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK
}
+nochange_ns10 () {
+ make_dignm
+ digcmd $* >$DIGNM
+ digcmd $* @$ns10 >${DIGNM}_OK
+ ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK
+}
+
# check against a 'here document'
here () {
make_dignm
@@ -618,6 +627,7 @@ EOF
# these tests assume "min-ns-dots 0"
start_group "NSDNAME rewrites" test3
+ nextpart ns3/named.run > /dev/null
nochange a3-1.tld2 # 1
nochange a3-1.tld2 +dnssec # 2 this once caused problems
nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME
@@ -630,25 +640,39 @@ EOF
addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME
addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11
nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash
+
+ nxdomain a3-1.stub # 13
+ nxdomain a3-1.static-stub # 14
+ nochange_ns10 a3-1.stub-nomatch # 15
+ nochange_ns10 a3-1.static-stub-nomatch # 16
if [ "$mode" = dnsrps ]; then
- addr 12.12.12.12 as-ns.tld5. # 13 qname-as-ns
+ addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns
fi
+ nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" &&
+ setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
end_group
if [ "$mode" = dnsrps ]; then
- ckstats $ns3 test3 ns3 8
+ ckstats $ns3 test3 ns3 10
else
- ckstats $ns3 test3 ns3 7
+ ckstats $ns3 test3 ns3 9
fi
# these tests assume "min-ns-dots 0"
start_group "NSIP rewrites" test4
+ nextpart ns3/named.run > /dev/null
nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2
nochange a3-2.tld2. # 2 exempt rewrite by name
nochange a0-1.tld2. # 3 exempt rewrite by address block
nochange a3-1.tld4 # 4 different NS IP address
+ nxdomain a4-1.stub # 5
+ nxdomain a4-1.static-stub # 6
+ nochange_ns10 a4-1.stub-nomatch # 7
+ nochange_ns10 a4-1.static-stub-nomatch # 8
if [ "$mode" = dnsrps ]; then
- addr 12.12.12.12 as-ns.tld5. # 5 ip-as-ns
+ addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns
fi
+ nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" &&
+ setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
end_group
start_group "walled garden NSIP rewrites" test4a
@@ -660,9 +684,9 @@ EOF
EOF
end_group
if [ "$mode" = dnsrps ]; then
- ckstats $ns3 test4 ns3 5
+ ckstats $ns3 test4 ns3 7
else
- ckstats $ns3 test4 ns3 4
+ ckstats $ns3 test4 ns3 6
fi
# policies in ./test5 overridden by response-policy{} in ns3/named.conf
@@ -785,6 +809,7 @@ EOF
fi
# Ensure ns3 manages to transfer the fast-expire zone before shutdown.
+ nextpartreset ns3/named.run
wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run
# reconfigure the ns5 primary server without the fast-expire zone, so
--
2.23.0
Reference in New Issue Copy Permalink