1#!/bin/sh 2# 3# Copyright (C) 2010, 2012 Internet Systems Consortium, Inc. ("ISC") 4# 5# Permission to use, copy, modify, and/or distribute this software for any 6# purpose with or without fee is hereby granted, provided that the above 7# copyright notice and this permission notice appear in all copies. 8# 9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15# PERFORMANCE OF THIS SOFTWARE. 16 17# Id: tests.sh,v 1.3 2010/12/02 23:22:41 marka Exp 18 19# Test of allow-query statement. 20# allow-query takes an address match list and can be included in either the 21# options statement or in the zone statement. This test assumes that the 22# acl tests cover the details of the address match list and uses a limited 23# number of address match test cases to ensure that allow-query finds the 24# expected match. 25# Test list: 26# In options: 27# default (any), any, none, [localhost, localnets], 28# allowed address, not allowed address, denied address, 29# allowed key, not allowed key, denied key 30# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 31# 32# Each of these tests requires changing to a new configuration 33# file and using rndc to update the server 34# 35# In view, with nothing in options (default to any) 36# default (any), any, none, [localhost, localnets], 37# allowed address, not allowed address, denied address, 38# allowed key, not allowed key, denied key 39# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 40# 41# In view, with options set to none, view set to any 42# In view, with options set to any, view set to none 43# 44# In zone, with nothing in options (default to any) 45# any, none, [localhost, localnets], 46# allowed address, denied address, 47# allowed key, not allowed key, denied key 48# allowed acl, not allowed acl, denied acl (acls pointing to addresses), 49# 50# In zone, with options set to none, zone set to any 51# In zone, with options set to any, zone set to none 52# In zone, with view set to none, zone set to any 53# In zone, with view set to any, zone set to none 54# 55# zone types of master, slave and stub can be tested in parallel by using 56# multiple instances (ns2 as master, ns3 as slave, ns4 as stub) and querying 57# as necessary. 58# 59 60SYSTEMTESTTOP=.. 61. $SYSTEMTESTTOP/conf.sh 62 63DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p 5300" 64status=0 65n=0 66 67# Test 1 - default, query allowed 68n=`expr $n + 1` 69echo "I:test $n: default - query allowed" 70ret=0 71$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 72grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 73grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 74if [ $ret != 0 ]; then echo "I:failed"; fi 75status=`expr $status + $ret` 76 77# Test 2 - explicit any, query allowed 78n=`expr $n + 1` 79cp -f ns2/named02.conf ns2/named.conf 80$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 81sleep 5 82 83echo "I:test $n: explicit any - query allowed" 84ret=0 85$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 86grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 87grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 88if [ $ret != 0 ]; then echo "I:failed"; fi 89status=`expr $status + $ret` 90 91# Test 3 - none, query refused 92n=`expr $n + 1` 93cp -f ns2/named03.conf ns2/named.conf 94$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 95sleep 5 96 97echo "I:test $n: none - query refused" 98ret=0 99$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 100grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 101grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 102if [ $ret != 0 ]; then echo "I:failed"; fi 103status=`expr $status + $ret` 104 105# Test 4 - address allowed, query allowed 106n=`expr $n + 1` 107cp -f ns2/named04.conf ns2/named.conf 108$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 109sleep 5 110 111echo "I:test $n: address allowed - query allowed" 112ret=0 113$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 114grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 115grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 116if [ $ret != 0 ]; then echo "I:failed"; fi 117status=`expr $status + $ret` 118 119# Test 5 - address not allowed, query refused 120n=`expr $n + 1` 121cp -f ns2/named05.conf ns2/named.conf 122$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 123sleep 5 124 125echo "I:test $n: address not allowed - query refused" 126ret=0 127$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 128grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 129grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 130if [ $ret != 0 ]; then echo "I:failed"; fi 131status=`expr $status + $ret` 132 133# Test 6 - address disallowed, query refused 134n=`expr $n + 1` 135cp -f ns2/named06.conf ns2/named.conf 136$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 137sleep 5 138 139echo "I:test $n: address disallowed - query refused" 140ret=0 141$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 142grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 143grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 144if [ $ret != 0 ]; then echo "I:failed"; fi 145status=`expr $status + $ret` 146 147# Test 7 - acl allowed, query allowed 148n=`expr $n + 1` 149cp -f ns2/named07.conf ns2/named.conf 150$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 151sleep 5 152 153echo "I:test $n: acl allowed - query allowed" 154ret=0 155$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 156grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 157grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 158if [ $ret != 0 ]; then echo "I:failed"; fi 159status=`expr $status + $ret` 160 161# Test 8 - acl not allowed, query refused 162n=`expr $n + 1` 163cp -f ns2/named08.conf ns2/named.conf 164$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 165sleep 5 166 167echo "I:test $n: acl not allowed - query refused" 168ret=0 169$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 170grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 171grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 172if [ $ret != 0 ]; then echo "I:failed"; fi 173status=`expr $status + $ret` 174 175 176# Test 9 - acl disallowed, query refused 177n=`expr $n + 1` 178cp -f ns2/named09.conf ns2/named.conf 179$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 180sleep 5 181 182echo "I:test $n: acl disallowed - query refused" 183ret=0 184$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 185grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 186grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 187if [ $ret != 0 ]; then echo "I:failed"; fi 188status=`expr $status + $ret` 189 190# Test 10 - key allowed, query allowed 191n=`expr $n + 1` 192cp -f ns2/named10.conf ns2/named.conf 193$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 194sleep 5 195 196echo "I:test $n: key allowed - query allowed" 197ret=0 198$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 199grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 200grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 201if [ $ret != 0 ]; then echo "I:failed"; fi 202status=`expr $status + $ret` 203 204# Test 11 - key not allowed, query refused 205n=`expr $n + 1` 206cp -f ns2/named11.conf ns2/named.conf 207$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 208sleep 5 209 210echo "I:test $n: key not allowed - query refused" 211ret=0 212$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 213grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 214grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 215if [ $ret != 0 ]; then echo "I:failed"; fi 216status=`expr $status + $ret` 217 218# Test 12 - key disallowed, query refused 219n=`expr $n + 1` 220cp -f ns2/named12.conf ns2/named.conf 221$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 222sleep 5 223 224echo "I:test $n: key disallowed - query refused" 225ret=0 226$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 227grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 228grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 229if [ $ret != 0 ]; then echo "I:failed"; fi 230status=`expr $status + $ret` 231 232# The next set of tests check if allow-query works in a view 233 234n=20 235# Test 21 - views default, query allowed 236n=`expr $n + 1` 237cp -f ns2/named21.conf ns2/named.conf 238$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 239sleep 5 240 241echo "I:test $n: views default - query allowed" 242ret=0 243$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 244grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 245grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 246if [ $ret != 0 ]; then echo "I:failed"; fi 247status=`expr $status + $ret` 248 249# Test 22 - views explicit any, query allowed 250n=`expr $n + 1` 251cp -f ns2/named22.conf ns2/named.conf 252$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 253sleep 5 254 255echo "I:test $n: views explicit any - query allowed" 256ret=0 257$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 258grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 259grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 260if [ $ret != 0 ]; then echo "I:failed"; fi 261status=`expr $status + $ret` 262 263# Test 23 - views none, query refused 264n=`expr $n + 1` 265cp -f ns2/named23.conf ns2/named.conf 266$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 267sleep 5 268 269echo "I:test $n: views none - query refused" 270ret=0 271$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 272grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 273grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 274if [ $ret != 0 ]; then echo "I:failed"; fi 275status=`expr $status + $ret` 276 277# Test 24 - views address allowed, query allowed 278n=`expr $n + 1` 279cp -f ns2/named24.conf ns2/named.conf 280$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 281sleep 5 282 283echo "I:test $n: views address allowed - query allowed" 284ret=0 285$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 286grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 287grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 288if [ $ret != 0 ]; then echo "I:failed"; fi 289status=`expr $status + $ret` 290 291# Test 25 - views address not allowed, query refused 292n=`expr $n + 1` 293cp -f ns2/named25.conf ns2/named.conf 294$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 295sleep 5 296 297echo "I:test $n: views address not allowed - query refused" 298ret=0 299$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 300grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 301grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 302if [ $ret != 0 ]; then echo "I:failed"; fi 303status=`expr $status + $ret` 304 305# Test 26 - views address disallowed, query refused 306n=`expr $n + 1` 307cp -f ns2/named26.conf ns2/named.conf 308$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 309sleep 5 310 311echo "I:test $n: views address disallowed - query refused" 312ret=0 313$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 314grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 315grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 316if [ $ret != 0 ]; then echo "I:failed"; fi 317status=`expr $status + $ret` 318 319# Test 27 - views acl allowed, query allowed 320n=`expr $n + 1` 321cp -f ns2/named27.conf ns2/named.conf 322$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 323sleep 5 324 325echo "I:test $n: views acl allowed - query allowed" 326ret=0 327$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 328grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 329grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 330if [ $ret != 0 ]; then echo "I:failed"; fi 331status=`expr $status + $ret` 332 333# Test 28 - views acl not allowed, query refused 334n=`expr $n + 1` 335cp -f ns2/named28.conf ns2/named.conf 336$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 337sleep 5 338 339echo "I:test $n: views acl not allowed - query refused" 340ret=0 341$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 342grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 343grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 344if [ $ret != 0 ]; then echo "I:failed"; fi 345status=`expr $status + $ret` 346 347# Test 29 - views acl disallowed, query refused 348n=`expr $n + 1` 349cp -f ns2/named29.conf ns2/named.conf 350$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 351sleep 5 352 353echo "I:test $n: views acl disallowed - query refused" 354ret=0 355$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 356grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 357grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 358if [ $ret != 0 ]; then echo "I:failed"; fi 359status=`expr $status + $ret` 360 361# Test 30 - views key allowed, query allowed 362n=`expr $n + 1` 363cp -f ns2/named30.conf ns2/named.conf 364$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 365sleep 5 366 367echo "I:test $n: views key allowed - query allowed" 368ret=0 369$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 370grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 371grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 372if [ $ret != 0 ]; then echo "I:failed"; fi 373status=`expr $status + $ret` 374 375# Test 31 - views key not allowed, query refused 376n=`expr $n + 1` 377cp -f ns2/named31.conf ns2/named.conf 378$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 379sleep 5 380 381echo "I:test $n: views key not allowed - query refused" 382ret=0 383$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 384grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 385grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 386if [ $ret != 0 ]; then echo "I:failed"; fi 387status=`expr $status + $ret` 388 389# Test 32 - views key disallowed, query refused 390n=`expr $n + 1` 391cp -f ns2/named32.conf ns2/named.conf 392$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 393sleep 5 394 395echo "I:test $n: views key disallowed - query refused" 396ret=0 397$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 398grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 399grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 400if [ $ret != 0 ]; then echo "I:failed"; fi 401status=`expr $status + $ret` 402 403# Test 33 - views over options, views allow, query allowed 404n=`expr $n + 1` 405cp -f ns2/named33.conf ns2/named.conf 406$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 407sleep 5 408 409echo "I:test $n: views over options, views allow - query allowed" 410ret=0 411$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 412grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 413grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 414if [ $ret != 0 ]; then echo "I:failed"; fi 415status=`expr $status + $ret` 416 417# Test 34 - views over options, views disallow, query refused 418n=`expr $n + 1` 419cp -f ns2/named34.conf ns2/named.conf 420$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 421sleep 5 422 423echo "I:test $n: views over options, views disallow - query refused" 424ret=0 425$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 426grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 427grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 428if [ $ret != 0 ]; then echo "I:failed"; fi 429status=`expr $status + $ret` 430 431# Tests for allow-query in the zone statements 432 433n=40 434 435# Test 41 - zone default, query allowed 436n=`expr $n + 1` 437cp -f ns2/named40.conf ns2/named.conf 438$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 439sleep 5 440 441echo "I:test $n: zone default - query allowed" 442ret=0 443$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 444grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 445grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 446if [ $ret != 0 ]; then echo "I:failed"; fi 447status=`expr $status + $ret` 448 449# Test 42 - zone explicit any, query allowed 450n=`expr $n + 1` 451echo "I:test $n: zone explicit any - query allowed" 452ret=0 453$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 454grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 455grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 456if [ $ret != 0 ]; then echo "I:failed"; fi 457status=`expr $status + $ret` 458 459# Test 43 - zone none, query refused 460n=`expr $n + 1` 461echo "I:test $n: zone none - query refused" 462ret=0 463$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 464grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 465grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 466if [ $ret != 0 ]; then echo "I:failed"; fi 467status=`expr $status + $ret` 468 469# Test 44 - zone address allowed, query allowed 470n=`expr $n + 1` 471echo "I:test $n: zone address allowed - query allowed" 472ret=0 473$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 474grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 475grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 476if [ $ret != 0 ]; then echo "I:failed"; fi 477status=`expr $status + $ret` 478 479# Test 45 - zone address not allowed, query refused 480n=`expr $n + 1` 481echo "I:test $n: zone address not allowed - query refused" 482ret=0 483$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 484grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 485grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 486if [ $ret != 0 ]; then echo "I:failed"; fi 487status=`expr $status + $ret` 488 489# Test 46 - zone address disallowed, query refused 490n=`expr $n + 1` 491echo "I:test $n: zone address disallowed - query refused" 492ret=0 493$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 494grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 495grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 496if [ $ret != 0 ]; then echo "I:failed"; fi 497status=`expr $status + $ret` 498 499# Test 47 - zone acl allowed, query allowed 500n=`expr $n + 1` 501echo "I:test $n: zone acl allowed - query allowed" 502ret=0 503$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 504grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 505grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 506if [ $ret != 0 ]; then echo "I:failed"; fi 507status=`expr $status + $ret` 508 509# Test 48 - zone acl not allowed, query refused 510n=`expr $n + 1` 511echo "I:test $n: zone acl not allowed - query refused" 512ret=0 513$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 514grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 515grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 516if [ $ret != 0 ]; then echo "I:failed"; fi 517status=`expr $status + $ret` 518 519# Test 49 - zone acl disallowed, query refused 520n=`expr $n + 1` 521echo "I:test $n: zone acl disallowed - query refused" 522ret=0 523$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 524grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 525grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 526if [ $ret != 0 ]; then echo "I:failed"; fi 527status=`expr $status + $ret` 528 529# Test 50 - zone key allowed, query allowed 530n=`expr $n + 1` 531echo "I:test $n: zone key allowed - query allowed" 532ret=0 533$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 534grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 535grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 536if [ $ret != 0 ]; then echo "I:failed"; fi 537status=`expr $status + $ret` 538 539# Test 51 - zone key not allowed, query refused 540n=`expr $n + 1` 541echo "I:test $n: zone key not allowed - query refused" 542ret=0 543$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 544grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 545grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 546if [ $ret != 0 ]; then echo "I:failed"; fi 547status=`expr $status + $ret` 548 549# Test 52 - zone key disallowed, query refused 550n=`expr $n + 1` 551echo "I:test $n: zone key disallowed - query refused" 552ret=0 553$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 554grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 555grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 556if [ $ret != 0 ]; then echo "I:failed"; fi 557status=`expr $status + $ret` 558 559# Test 53 - zones over options, zones allow, query allowed 560n=`expr $n + 1` 561cp -f ns2/named53.conf ns2/named.conf 562$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 563sleep 5 564 565echo "I:test $n: views over options, views allow - query allowed" 566ret=0 567$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 568grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 569grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 570if [ $ret != 0 ]; then echo "I:failed"; fi 571status=`expr $status + $ret` 572 573# Test 54 - zones over options, zones disallow, query refused 574n=`expr $n + 1` 575cp -f ns2/named54.conf ns2/named.conf 576$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 577sleep 5 578 579echo "I:test $n: views over options, views disallow - query refused" 580ret=0 581$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 582grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 583grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 584if [ $ret != 0 ]; then echo "I:failed"; fi 585status=`expr $status + $ret` 586 587# Test 55 - zones over views, zones allow, query allowed 588n=`expr $n + 1` 589cp -f ns2/named55.conf ns2/named.conf 590$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 591sleep 5 592 593echo "I:test $n: zones over views, views allow - query allowed" 594ret=0 595$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 596grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 597grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 598if [ $ret != 0 ]; then echo "I:failed"; fi 599status=`expr $status + $ret` 600 601# Test 56 - zones over views, zones disallow, query refused 602n=`expr $n + 1` 603cp -f ns2/named56.conf ns2/named.conf 604$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 605sleep 5 606 607echo "I:test $n: zones over views, views disallow - query refused" 608ret=0 609$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 610grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 611grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 612if [ $ret != 0 ]; then echo "I:failed"; fi 613status=`expr $status + $ret` 614 615echo "I:exit status: $status" 616exit $status 617 618