From 967e5e09cd80bd74f96ad49d65b564ac58023f0c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 28 Mar 2022 16:36:03 +1100 Subject: [PATCH] Add test cases using static and static-stub zones RPZ NSIP and NSDNAME checks were failing with "unrecognized NS rpz_rrset_find() failed: glue" when static or static-stub zones where used to resolve the query name. Add tests using stub and static-stub zones that are expected to be filtered and not-filtered against NSIP and NSDNAME rules. stub and static-stub queries are expected to be filtered stub-nomatch and static-stub-nomatch queries are expected to be passed (cherry picked from commit 30cb70c82671e345810be546ffa902631b43d306) Conflict: NA Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/967e5e09cd80bd74f96ad49d65b564ac58023f0c --- bin/tests/system/rpz/ns10/hints | 13 ++++++++ bin/tests/system/rpz/ns10/named.conf.in | 42 +++++++++++++++++++++++++ bin/tests/system/rpz/ns10/stub.db | 21 +++++++++++++ bin/tests/system/rpz/ns2/named.conf.in | 4 +++ bin/tests/system/rpz/ns2/stub.db | 20 ++++++++++++ bin/tests/system/rpz/ns3/named.conf.in | 20 ++++++++++++ bin/tests/system/rpz/setup.sh | 1 + bin/tests/system/rpz/tests.sh | 37 ++++++++++++++++++---- 8 files changed, 152 insertions(+), 6 deletions(-) create mode 100644 bin/tests/system/rpz/ns10/hints create mode 100644 bin/tests/system/rpz/ns10/named.conf.in create mode 100644 bin/tests/system/rpz/ns10/stub.db create mode 100644 bin/tests/system/rpz/ns2/stub.db diff --git a/bin/tests/system/rpz/ns10/hints b/bin/tests/system/rpz/ns10/hints new file mode 100644 index 0000000000..b657c3980e --- /dev/null +++ b/bin/tests/system/rpz/ns10/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns10/named.conf.in b/bin/tests/system/rpz/ns10/named.conf.in new file mode 100644 index 0000000000..b34ce79bb4 --- /dev/null +++ b/bin/tests/system/rpz/ns10/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + notify no; + minimal-responses no; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "../trusted.conf"; +zone "." { type hint; file "hints"; }; + +# grafted on zones using stub and static-stub +zone "stub-nomatch." {type primary; file "stub.db"; }; +zone "static-stub-nomatch." {type primary; file "stub.db"; }; diff --git a/bin/tests/system/rpz/ns10/stub.db b/bin/tests/system/rpz/ns10/stub.db new file mode 100644 index 0000000000..8ecac8c2b2 --- /dev/null +++ b/bin/tests/system/rpz/ns10/stub.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ rewrite responses from this zone + +$TTL 120 +@ SOA ns hostmaster.ns ( 1 3600 1200 604800 60 ) + NS ns +ns A 10.53.0.10 + +a3-1 A 10.53.99.99 + +a4-1 A 10.53.99.99 diff --git a/bin/tests/system/rpz/ns2/named.conf.in b/bin/tests/system/rpz/ns2/named.conf.in index 48ab311a97..1dde354562 100644 --- a/bin/tests/system/rpz/ns2/named.conf.in +++ b/bin/tests/system/rpz/ns2/named.conf.in @@ -49,3 +49,7 @@ zone "tld2s." {type primary; file "tld2s.db";}; zone "bl.tld2." {type primary; file "bl.tld2.db"; notify yes; notify-delay 0;}; + +# grafted on zones using stub and static-stub +zone "stub." {type primary; file "stub.db"; }; +zone "static-stub." {type primary; file "stub.db"; }; diff --git a/bin/tests/system/rpz/ns2/stub.db b/bin/tests/system/rpz/ns2/stub.db new file mode 100644 index 0000000000..e4b87817e7 --- /dev/null +++ b/bin/tests/system/rpz/ns2/stub.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ rewrite responses from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns.sub1.tld2. + +a3-1 A 10.53.99.99 + +a4-1 A 10.53.99.99 diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in index e5545a8720..30f08c804c 100644 --- a/bin/tests/system/rpz/ns3/named.conf.in +++ b/bin/tests/system/rpz/ns3/named.conf.in @@ -128,3 +128,23 @@ zone "fast-expire." { primaries { 10.53.0.5; }; notify no; }; + +zone "stub." { + type stub; + primaries { 10.53.0.2; }; +}; + +zone "static-stub." { + type static-stub; + server-addresses { 10.53.0.2; }; +}; + +zone "stub-nomatch." { + type stub; + primaries { 10.53.0.10; }; +}; + +zone "static-stub-nomatch." { + type static-stub; + server-addresses { 10.53.0.10; }; +}; diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index f9897b34de..fea43bdc36 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -54,6 +54,7 @@ copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf copy_setports ns9/named.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf copy_setports dnsrpzd.conf.in dnsrpzd.conf diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 56a7f2e683..9fc5d08cf2 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -28,6 +28,8 @@ ns5=$ns.5 # another rewriting resolver ns6=$ns.6 # a forwarding server ns7=$ns.7 # another rewriting resolver ns8=$ns.8 # another rewriting resolver +ns9=$ns.9 # another rewriting resolver +ns10=$ns.10 # authoritative server HAVE_CORE= @@ -406,6 +408,13 @@ nochange () { ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK } +nochange_ns10 () { + make_dignm + digcmd $* >$DIGNM + digcmd $* @$ns10 >${DIGNM}_OK + ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK +} + # check against a 'here document' here () { make_dignm @@ -618,6 +627,7 @@ EOF # these tests assume "min-ns-dots 0" start_group "NSDNAME rewrites" test3 + nextpart ns3/named.run > /dev/null nochange a3-1.tld2 # 1 nochange a3-1.tld2 +dnssec # 2 this once caused problems nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME @@ -630,25 +640,39 @@ EOF addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11 nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash + + nxdomain a3-1.stub # 13 + nxdomain a3-1.static-stub # 14 + nochange_ns10 a3-1.stub-nomatch # 15 + nochange_ns10 a3-1.static-stub-nomatch # 16 if [ "$mode" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 13 qname-as-ns + addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns fi + nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && + setret "seen: unrecognized NS rpz_rrset_find() failed: glue" end_group if [ "$mode" = dnsrps ]; then - ckstats $ns3 test3 ns3 8 + ckstats $ns3 test3 ns3 10 else - ckstats $ns3 test3 ns3 7 + ckstats $ns3 test3 ns3 9 fi # these tests assume "min-ns-dots 0" start_group "NSIP rewrites" test4 + nextpart ns3/named.run > /dev/null nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 nochange a3-2.tld2. # 2 exempt rewrite by name nochange a0-1.tld2. # 3 exempt rewrite by address block nochange a3-1.tld4 # 4 different NS IP address + nxdomain a4-1.stub # 5 + nxdomain a4-1.static-stub # 6 + nochange_ns10 a4-1.stub-nomatch # 7 + nochange_ns10 a4-1.static-stub-nomatch # 8 if [ "$mode" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 5 ip-as-ns + addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns fi + nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && + setret "seen: unrecognized NS rpz_rrset_find() failed: glue" end_group start_group "walled garden NSIP rewrites" test4a @@ -660,9 +684,9 @@ EOF EOF end_group if [ "$mode" = dnsrps ]; then - ckstats $ns3 test4 ns3 5 + ckstats $ns3 test4 ns3 7 else - ckstats $ns3 test4 ns3 4 + ckstats $ns3 test4 ns3 6 fi # policies in ./test5 overridden by response-policy{} in ns3/named.conf @@ -785,6 +809,7 @@ EOF fi # Ensure ns3 manages to transfer the fast-expire zone before shutdown. + nextpartreset ns3/named.run wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run # reconfigure the ns5 primary server without the fast-expire zone, so -- 2.23.0