1#!/bin/sh
2#
3# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
4#
5# Permission to use, copy, modify, and/or distribute this software for any
6# purpose with or without fee is hereby granted, provided that the above
7# copyright notice and this permission notice appear in all copies.
8#
9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15# PERFORMANCE OF THIS SOFTWARE.
16
17# Id: tests.sh,v 1.3 2010/12/02 23:22:41 marka Exp 
18
19# Test of allow-query statement.
20# allow-query takes an address match list and can be included in either the
21# options statement or in the zone statement.  This test assumes that the
22# acl tests cover the details of the address match list and uses a limited
23# number of address match test cases to ensure that allow-query finds the
24# expected match.
25# Test list:
26# In options:
27# default (any), any, none, [localhost, localnets], 
28# allowed address, not allowed address, denied address,
29# allowed key, not allowed key, denied key 
30# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 
31#
32# Each of these tests requires changing to a new configuration
33# file and using rndc to update the server
34#
35# In view, with nothing in options (default to any)
36# default (any), any, none, [localhost, localnets], 
37# allowed address, not allowed address, denied address,
38# allowed key, not allowed key, denied key 
39# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 
40#
41# In view, with options set to none, view set to any
42# In view, with options set to any, view set to none
43#
44# In zone, with nothing in options (default to any)
45# any, none, [localhost, localnets], 
46# allowed address, denied address, 
47# allowed key, not allowed key, denied key
48# allowed acl, not allowed acl, denied acl (acls pointing to addresses),
49# 
50# In zone, with options set to none, zone set to any
51# In zone, with options set to any, zone set to none
52# In zone, with view set to none, zone set to any
53# In zone, with view set to any, zone set to none
54#
55# zone types of master, slave and stub can be tested in parallel by using
56# multiple instances (ns2 as master, ns3 as slave, ns4 as stub) and querying
57# as necessary. 
58#
59
60SYSTEMTESTTOP=..
61. $SYSTEMTESTTOP/conf.sh
62
63DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p 5300"
64status=0
65n=0
66
67# Test 1 - default, query allowed
68n=`expr $n + 1`
69echo "I:test $n: default - query allowed"
70ret=0
71$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
72grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
73grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
74if [ $ret != 0 ]; then echo "I:failed"; fi
75status=`expr $status + $ret`
76
77# Test 2 - explicit any, query allowed
78n=`expr $n + 1`
79cp -f ns2/named02.conf ns2/named.conf
80$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
81sleep 5
82
83echo "I:test $n: explicit any - query allowed"
84ret=0
85$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
86grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
87grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
88if [ $ret != 0 ]; then echo "I:failed"; fi
89status=`expr $status + $ret`
90
91# Test 3 - none, query refused
92n=`expr $n + 1`
93cp -f ns2/named03.conf ns2/named.conf
94$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
95sleep 5
96
97echo "I:test $n: none - query refused"
98ret=0
99$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
100grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
101grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
102if [ $ret != 0 ]; then echo "I:failed"; fi
103status=`expr $status + $ret`
104
105# Test 4 - address allowed, query allowed
106n=`expr $n + 1`
107cp -f ns2/named04.conf ns2/named.conf
108$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
109sleep 5
110
111echo "I:test $n: address allowed - query allowed"
112ret=0
113$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
114grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
115grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
116if [ $ret != 0 ]; then echo "I:failed"; fi
117status=`expr $status + $ret`
118
119# Test 5 - address not allowed, query refused
120n=`expr $n + 1`
121cp -f ns2/named05.conf ns2/named.conf
122$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
123sleep 5
124
125echo "I:test $n: address not allowed - query refused"
126ret=0
127$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
128grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
129grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
130if [ $ret != 0 ]; then echo "I:failed"; fi
131status=`expr $status + $ret`
132
133# Test 6 - address disallowed, query refused
134n=`expr $n + 1`
135cp -f ns2/named06.conf ns2/named.conf
136$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
137sleep 5
138
139echo "I:test $n: address disallowed - query refused"
140ret=0
141$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
142grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
143grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
144if [ $ret != 0 ]; then echo "I:failed"; fi
145status=`expr $status + $ret`
146
147# Test 7 - acl allowed, query allowed
148n=`expr $n + 1`
149cp -f ns2/named07.conf ns2/named.conf
150$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
151sleep 5
152
153echo "I:test $n: acl allowed - query allowed"
154ret=0
155$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
156grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
157grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
158if [ $ret != 0 ]; then echo "I:failed"; fi
159status=`expr $status + $ret`
160
161# Test 8 - acl not allowed, query refused
162n=`expr $n + 1`
163cp -f ns2/named08.conf ns2/named.conf
164$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
165sleep 5
166
167echo "I:test $n: acl not allowed - query refused"
168ret=0
169$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
170grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
171grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
172if [ $ret != 0 ]; then echo "I:failed"; fi
173status=`expr $status + $ret`
174
175
176# Test 9 - acl disallowed, query refused
177n=`expr $n + 1`
178cp -f ns2/named09.conf ns2/named.conf
179$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
180sleep 5
181
182echo "I:test $n: acl disallowed - query refused"
183ret=0
184$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
185grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
186grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
187if [ $ret != 0 ]; then echo "I:failed"; fi
188status=`expr $status + $ret`
189
190# Test 10 - key allowed, query allowed
191n=`expr $n + 1`
192cp -f ns2/named10.conf ns2/named.conf
193$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
194sleep 5
195
196echo "I:test $n: key allowed - query allowed"
197ret=0
198$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
199grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
200grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
201if [ $ret != 0 ]; then echo "I:failed"; fi
202status=`expr $status + $ret`
203
204# Test 11 - key not allowed, query refused
205n=`expr $n + 1`
206cp -f ns2/named11.conf ns2/named.conf
207$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
208sleep 5
209
210echo "I:test $n: key not allowed - query refused"
211ret=0
212$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
213grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
214grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
215if [ $ret != 0 ]; then echo "I:failed"; fi
216status=`expr $status + $ret`
217
218# Test 12 - key disallowed, query refused
219n=`expr $n + 1`
220cp -f ns2/named12.conf ns2/named.conf
221$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
222sleep 5
223
224echo "I:test $n: key disallowed - query refused"
225ret=0
226$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
227grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
228grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
229if [ $ret != 0 ]; then echo "I:failed"; fi
230status=`expr $status + $ret`
231
232# The next set of tests check if allow-query works in a view
233
234n=20
235# Test 21 - views default, query allowed
236n=`expr $n + 1`
237cp -f ns2/named21.conf ns2/named.conf
238$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
239sleep 5
240
241echo "I:test $n: views default - query allowed"
242ret=0
243$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
244grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
245grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
246if [ $ret != 0 ]; then echo "I:failed"; fi
247status=`expr $status + $ret`
248
249# Test 22 - views explicit any, query allowed
250n=`expr $n + 1`
251cp -f ns2/named22.conf ns2/named.conf
252$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
253sleep 5
254
255echo "I:test $n: views explicit any - query allowed"
256ret=0
257$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
258grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
259grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
260if [ $ret != 0 ]; then echo "I:failed"; fi
261status=`expr $status + $ret`
262
263# Test 23 - views none, query refused
264n=`expr $n + 1`
265cp -f ns2/named23.conf ns2/named.conf
266$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
267sleep 5
268
269echo "I:test $n: views none - query refused"
270ret=0
271$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
272grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
273grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
274if [ $ret != 0 ]; then echo "I:failed"; fi
275status=`expr $status + $ret`
276
277# Test 24 - views address allowed, query allowed
278n=`expr $n + 1`
279cp -f ns2/named24.conf ns2/named.conf
280$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
281sleep 5
282
283echo "I:test $n: views address allowed - query allowed"
284ret=0
285$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
286grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
287grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
288if [ $ret != 0 ]; then echo "I:failed"; fi
289status=`expr $status + $ret`
290
291# Test 25 - views address not allowed, query refused
292n=`expr $n + 1`
293cp -f ns2/named25.conf ns2/named.conf
294$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
295sleep 5
296
297echo "I:test $n: views address not allowed - query refused"
298ret=0
299$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
300grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
301grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
302if [ $ret != 0 ]; then echo "I:failed"; fi
303status=`expr $status + $ret`
304
305# Test 26 - views address disallowed, query refused
306n=`expr $n + 1`
307cp -f ns2/named26.conf ns2/named.conf
308$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
309sleep 5
310
311echo "I:test $n: views address disallowed - query refused"
312ret=0
313$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
314grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
315grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
316if [ $ret != 0 ]; then echo "I:failed"; fi
317status=`expr $status + $ret`
318
319# Test 27 - views acl allowed, query allowed
320n=`expr $n + 1`
321cp -f ns2/named27.conf ns2/named.conf
322$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
323sleep 5
324
325echo "I:test $n: views acl allowed - query allowed"
326ret=0
327$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
328grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
329grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
330if [ $ret != 0 ]; then echo "I:failed"; fi
331status=`expr $status + $ret`
332
333# Test 28 - views acl not allowed, query refused
334n=`expr $n + 1`
335cp -f ns2/named28.conf ns2/named.conf
336$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
337sleep 5
338
339echo "I:test $n: views acl not allowed - query refused"
340ret=0
341$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
342grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
343grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
344if [ $ret != 0 ]; then echo "I:failed"; fi
345status=`expr $status + $ret`
346
347# Test 29 - views acl disallowed, query refused
348n=`expr $n + 1`
349cp -f ns2/named29.conf ns2/named.conf
350$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
351sleep 5
352
353echo "I:test $n: views acl disallowed - query refused"
354ret=0
355$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
356grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
357grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
358if [ $ret != 0 ]; then echo "I:failed"; fi
359status=`expr $status + $ret`
360
361# Test 30 - views key allowed, query allowed
362n=`expr $n + 1`
363cp -f ns2/named30.conf ns2/named.conf
364$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
365sleep 5
366
367echo "I:test $n: views key allowed - query allowed"
368ret=0
369$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
370grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
371grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
372if [ $ret != 0 ]; then echo "I:failed"; fi
373status=`expr $status + $ret`
374
375# Test 31 - views key not allowed, query refused
376n=`expr $n + 1`
377cp -f ns2/named31.conf ns2/named.conf
378$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
379sleep 5
380
381echo "I:test $n: views key not allowed - query refused"
382ret=0
383$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
384grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
385grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
386if [ $ret != 0 ]; then echo "I:failed"; fi
387status=`expr $status + $ret`
388
389# Test 32 - views key disallowed, query refused
390n=`expr $n + 1`
391cp -f ns2/named32.conf ns2/named.conf
392$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
393sleep 5
394
395echo "I:test $n: views key disallowed - query refused"
396ret=0
397$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
398grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
399grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
400if [ $ret != 0 ]; then echo "I:failed"; fi
401status=`expr $status + $ret`
402
403# Test 33 - views over options, views allow, query allowed
404n=`expr $n + 1`
405cp -f ns2/named33.conf ns2/named.conf
406$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
407sleep 5
408
409echo "I:test $n: views over options, views allow - query allowed"
410ret=0
411$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
412grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
413grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
414if [ $ret != 0 ]; then echo "I:failed"; fi
415status=`expr $status + $ret`
416
417# Test 34 - views over options, views disallow, query refused
418n=`expr $n + 1`
419cp -f ns2/named34.conf ns2/named.conf
420$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
421sleep 5
422
423echo "I:test $n: views over options, views disallow - query refused"
424ret=0
425$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
426grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
427grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
428if [ $ret != 0 ]; then echo "I:failed"; fi
429status=`expr $status + $ret`
430
431# Tests for allow-query in the zone statements
432
433n=40
434
435# Test 41 - zone default, query allowed
436n=`expr $n + 1`
437cp -f ns2/named40.conf ns2/named.conf
438$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
439sleep 5
440
441echo "I:test $n: zone default - query allowed"
442ret=0
443$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
444grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
445grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
446if [ $ret != 0 ]; then echo "I:failed"; fi
447status=`expr $status + $ret`
448
449# Test 42 - zone explicit any, query allowed
450n=`expr $n + 1`
451echo "I:test $n: zone explicit any - query allowed"
452ret=0
453$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
454grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
455grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1
456if [ $ret != 0 ]; then echo "I:failed"; fi
457status=`expr $status + $ret`
458
459# Test 43 - zone none, query refused
460n=`expr $n + 1`
461echo "I:test $n: zone none - query refused"
462ret=0
463$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
464grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
465grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
466if [ $ret != 0 ]; then echo "I:failed"; fi
467status=`expr $status + $ret`
468
469# Test 44 - zone address allowed, query allowed
470n=`expr $n + 1`
471echo "I:test $n: zone address allowed - query allowed"
472ret=0
473$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
474grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
475grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1
476if [ $ret != 0 ]; then echo "I:failed"; fi
477status=`expr $status + $ret`
478
479# Test 45 - zone address not allowed, query refused
480n=`expr $n + 1`
481echo "I:test $n: zone address not allowed - query refused"
482ret=0
483$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
484grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
485grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
486if [ $ret != 0 ]; then echo "I:failed"; fi
487status=`expr $status + $ret`
488
489# Test 46 - zone address disallowed, query refused
490n=`expr $n + 1`
491echo "I:test $n: zone address disallowed - query refused"
492ret=0
493$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
494grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
495grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
496if [ $ret != 0 ]; then echo "I:failed"; fi
497status=`expr $status + $ret`
498
499# Test 47 - zone acl allowed, query allowed
500n=`expr $n + 1`
501echo "I:test $n: zone acl allowed - query allowed"
502ret=0
503$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
504grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
505grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1
506if [ $ret != 0 ]; then echo "I:failed"; fi
507status=`expr $status + $ret`
508
509# Test 48 - zone acl not allowed, query refused
510n=`expr $n + 1`
511echo "I:test $n: zone acl not allowed - query refused"
512ret=0
513$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
514grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
515grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
516if [ $ret != 0 ]; then echo "I:failed"; fi
517status=`expr $status + $ret`
518
519# Test 49 - zone acl disallowed, query refused
520n=`expr $n + 1`
521echo "I:test $n: zone acl disallowed - query refused"
522ret=0
523$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
524grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
525grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
526if [ $ret != 0 ]; then echo "I:failed"; fi
527status=`expr $status + $ret`
528
529# Test 50 - zone key allowed, query allowed
530n=`expr $n + 1`
531echo "I:test $n: zone key allowed - query allowed"
532ret=0
533$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
534grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
535grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
536if [ $ret != 0 ]; then echo "I:failed"; fi
537status=`expr $status + $ret`
538
539# Test 51 - zone key not allowed, query refused
540n=`expr $n + 1`
541echo "I:test $n: zone key not allowed - query refused"
542ret=0
543$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
544grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
545grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
546if [ $ret != 0 ]; then echo "I:failed"; fi
547status=`expr $status + $ret`
548
549# Test 52 - zone key disallowed, query refused
550n=`expr $n + 1`
551echo "I:test $n: zone key disallowed - query refused"
552ret=0
553$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
554grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
555grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
556if [ $ret != 0 ]; then echo "I:failed"; fi
557status=`expr $status + $ret`
558
559# Test 53 - zones over options, zones allow, query allowed
560n=`expr $n + 1`
561cp -f ns2/named53.conf ns2/named.conf
562$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
563sleep 5
564
565echo "I:test $n: views over options, views allow - query allowed"
566ret=0
567$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
568grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
569grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
570if [ $ret != 0 ]; then echo "I:failed"; fi
571status=`expr $status + $ret`
572
573# Test 54 - zones over options, zones disallow, query refused
574n=`expr $n + 1`
575cp -f ns2/named54.conf ns2/named.conf
576$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
577sleep 5
578
579echo "I:test $n: views over options, views disallow - query refused"
580ret=0
581$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
582grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
583grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
584if [ $ret != 0 ]; then echo "I:failed"; fi
585status=`expr $status + $ret`
586
587# Test 55 - zones over views, zones allow, query allowed
588n=`expr $n + 1`
589cp -f ns2/named55.conf ns2/named.conf
590$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
591sleep 5
592
593echo "I:test $n: zones over views, views allow - query allowed"
594ret=0
595$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
596grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
597grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
598if [ $ret != 0 ]; then echo "I:failed"; fi
599status=`expr $status + $ret`
600
601# Test 56 - zones over views, zones disallow, query refused
602n=`expr $n + 1`
603cp -f ns2/named56.conf ns2/named.conf
604$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
605sleep 5
606
607echo "I:test $n: zones over views, views disallow - query refused"
608ret=0
609$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
610grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
611grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
612if [ $ret != 0 ]; then echo "I:failed"; fi
613status=`expr $status + $ret`
614
615echo "I:exit status: $status"
616exit $status
617
618