1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14set -e
15
16. ../conf.sh
17
18DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
19RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
20
21status=0
22t=0
23
24echo_i "testing basic ACL processing"
25# key "one" should fail
26t=$((t + 1))
27$DIG $DIGOPTS tsigzone. \
28  @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
29grep "^;" dig.out.${t} >/dev/null 2>&1 || {
30  echo_i "test $t failed"
31  status=1
32}
33
34# any other key should be fine
35t=$((t + 1))
36$DIG $DIGOPTS tsigzone. \
37  @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
38grep "^;" dig.out.${t} >/dev/null 2>&1 && {
39  echo_i "test $t failed"
40  status=1
41}
42
43copy_setports ns2/named2.conf.in ns2/named.conf
44rndc_reload ns2 10.53.0.2
45sleep 5
46
47# prefix 10/8 should fail
48t=$((t + 1))
49$DIG $DIGOPTS tsigzone. \
50  @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
51grep "^;" dig.out.${t} >/dev/null 2>&1 || {
52  echo_i "test $t failed"
53  status=1
54}
55
56# any other address should work, as long as it sends key "one"
57t=$((t + 1))
58$DIG $DIGOPTS tsigzone. \
59  @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
60grep "^;" dig.out.${t} >/dev/null 2>&1 || {
61  echo_i "test $t failed"
62  status=1
63}
64
65t=$((t + 1))
66$DIG $DIGOPTS tsigzone. \
67  @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
68grep "^;" dig.out.${t} >/dev/null 2>&1 && {
69  echo_i "test $t failed"
70  status=1
71}
72
73echo_i "testing nested ACL processing"
74# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed
75copy_setports ns2/named3.conf.in ns2/named.conf
76rndc_reload ns2 10.53.0.2
77sleep 5
78
79# should succeed
80t=$((t + 1))
81$DIG $DIGOPTS tsigzone. \
82  @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t}
83grep "^;" dig.out.${t} >/dev/null 2>&1 && {
84  echo_i "test $t failed"
85  status=1
86}
87
88# should succeed
89t=$((t + 1))
90$DIG $DIGOPTS tsigzone. \
91  @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t}
92grep "^;" dig.out.${t} >/dev/null 2>&1 && {
93  echo_i "test $t failed"
94  status=1
95}
96
97# should succeed
98t=$((t + 1))
99$DIG $DIGOPTS tsigzone. \
100  @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
101grep "^;" dig.out.${t} >/dev/null 2>&1 && {
102  echo_i "test $t failed"
103  status=1
104}
105
106# should succeed
107t=$((t + 1))
108$DIG $DIGOPTS tsigzone. \
109  @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
110grep "^;" dig.out.${t} >/dev/null 2>&1 && {
111  echo_i "test $t failed"
112  status=1
113}
114
115# but only one or the other should fail
116t=$((t + 1))
117$DIG $DIGOPTS tsigzone. \
118  @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
119grep "^;" dig.out.${t} >/dev/null 2>&1 || {
120  echo_i "test $t failed"
121  status=1
122}
123
124t=$((t + 1))
125$DIG $DIGOPTS tsigzone. \
126  @10.53.0.2 -b 10.53.0.2 axfr >dig.out.${t}
127grep "^;" dig.out.${t} >/dev/null 2>&1 || {
128  echo_i "test $tt failed"
129  status=1
130}
131
132# and other values? right out
133t=$((t + 1))
134$DIG $DIGOPTS tsigzone. \
135  @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" >dig.out.${t}
136grep "^;" dig.out.${t} >/dev/null 2>&1 || {
137  echo_i "test $t failed"
138  status=1
139}
140
141# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
142copy_setports ns2/named4.conf.in ns2/named.conf
143rndc_reload ns2 10.53.0.2
144sleep 5
145
146# should succeed
147t=$((t + 1))
148$DIG $DIGOPTS tsigzone. \
149  @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t}
150grep "^;" dig.out.${t} >/dev/null 2>&1 && {
151  echo_i "test $t failed"
152  status=1
153}
154
155# should succeed
156t=$((t + 1))
157$DIG $DIGOPTS tsigzone. \
158  @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
159grep "^;" dig.out.${t} >/dev/null 2>&1 && {
160  echo_i "test $t failed"
161  status=1
162}
163
164# should fail
165t=$((t + 1))
166$DIG $DIGOPTS tsigzone. \
167  @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t}
168grep "^;" dig.out.${t} >/dev/null 2>&1 || {
169  echo_i "test $t failed"
170  status=1
171}
172
173# should fail
174t=$((t + 1))
175$DIG $DIGOPTS tsigzone. \
176  @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
177grep "^;" dig.out.${t} >/dev/null 2>&1 || {
178  echo_i "test $t failed"
179  status=1
180}
181
182# should fail
183t=$((t + 1))
184$DIG $DIGOPTS tsigzone. \
185  @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 >dig.out.${t}
186grep "^;" dig.out.${t} >/dev/null 2>&1 || {
187  echo_i "test $t failed"
188  status=1
189}
190
191echo_i "testing allow-query-on ACL processing"
192copy_setports ns2/named5.conf.in ns2/named.conf
193rndc_reload ns2 10.53.0.2
194sleep 5
195t=$((t + 1))
196$DIG -p ${PORT} +tcp soa example. \
197  @10.53.0.2 -b 10.53.0.3 >dig.out.${t}
198grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
199  echo_i "test $t failed"
200  status=1
201}
202
203echo_i "testing blackhole ACL processing"
204t=$((t + 1))
205ret=0
206$DIG -p ${PORT} +tcp soa example. \
207  @10.53.0.2 -b 10.53.0.3 >dig.out.1.${t}
208grep "status: NOERROR" dig.out.1.${t} >/dev/null 2>&1 || ret=1
209$DIG -p ${PORT} +tcp soa example. \
210  @10.53.0.2 -b 10.53.0.8 >dig.out.2.${t} && ret=1
211grep "status: NOERROR" dig.out.2.${t} >/dev/null 2>&1 && ret=1
212grep "communications error" dig.out.2.${t} >/dev/null 2>&1 || ret=1
213$DIG -p ${PORT} soa example. \
214  @10.53.0.2 -b 10.53.0.3 >dig.out.3.${t}
215grep "status: NOERROR" dig.out.3.${t} >/dev/null 2>&1 || ret=1
216$DIG -p ${PORT} soa example. \
217  @10.53.0.2 -b 10.53.0.8 >dig.out.4.${t} && ret=1
218grep "status: NOERROR" dig.out.4.${t} >/dev/null 2>&1 && ret=1
219grep "timed out" dig.out.4.${t} >/dev/null 2>&1 || ret=1
220grep ";; no servers could be reached" dig.out.4.${t} >/dev/null 2>&1 || ret=1
221[ $ret -eq 0 ] || echo_i "failed"
222status=$((status + ret))
223
224# AXFR tests against ns3
225
226echo_i "testing allow-transfer ACLs against ns3 (no existing zones)"
227
228echo_i "calling addzone example.com on ns3"
229$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; '
230sleep 1
231
232t=$((t + 1))
233ret=0
234echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
235$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1
236grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
237[ $ret -eq 0 ] || echo_i "failed"
238status=$((status + ret))
239
240echo_i "calling rndc reconfig"
241rndc_reconfig ns3 10.53.0.3
242
243sleep 1
244
245t=$((t + 1))
246ret=0
247echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
248$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1
249grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
250[ $ret -eq 0 ] || echo_i "failed"
251status=$((status + ret))
252
253# AXFR tests against ns4
254
255echo_i "testing allow-transfer ACLs against ns4 (1 pre-existing zone)"
256
257echo_i "calling addzone example.com on ns4"
258$RNDCCMD 10.53.0.4 addzone 'example.com {type primary; file "example.db"; }; '
259sleep 1
260
261t=$((t + 1))
262ret=0
263echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
264$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1
265grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
266[ $ret -eq 0 ] || echo_i "failed"
267status=$((status + ret))
268
269echo_i "calling rndc reconfig"
270rndc_reconfig ns4 10.53.0.4
271
272sleep 1
273
274t=$((t + 1))
275ret=0
276echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
277$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1
278grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
279[ $ret -eq 0 ] || echo_i "failed"
280status=$((status + ret))
281
282echo_i "exit status: $status"
283[ $status -eq 0 ] || exit 1
284