1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16. ../conf.sh 17 18DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" 19RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" 20 21status=0 22t=0 23 24echo_i "testing basic ACL processing" 25# key "one" should fail 26t=$((t + 1)) 27$DIG $DIGOPTS tsigzone. \ 28 @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} 29grep "^;" dig.out.${t} >/dev/null 2>&1 || { 30 echo_i "test $t failed" 31 status=1 32} 33 34# any other key should be fine 35t=$((t + 1)) 36$DIG $DIGOPTS tsigzone. \ 37 @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} 38grep "^;" dig.out.${t} >/dev/null 2>&1 && { 39 echo_i "test $t failed" 40 status=1 41} 42 43copy_setports ns2/named2.conf.in ns2/named.conf 44rndc_reload ns2 10.53.0.2 45sleep 5 46 47# prefix 10/8 should fail 48t=$((t + 1)) 49$DIG $DIGOPTS tsigzone. \ 50 @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} 51grep "^;" dig.out.${t} >/dev/null 2>&1 || { 52 echo_i "test $t failed" 53 status=1 54} 55 56# any other address should work, as long as it sends key "one" 57t=$((t + 1)) 58$DIG $DIGOPTS tsigzone. \ 59 @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 >dig.out.${t} 60grep "^;" dig.out.${t} >/dev/null 2>&1 || { 61 echo_i "test $t failed" 62 status=1 63} 64 65t=$((t + 1)) 66$DIG $DIGOPTS tsigzone. \ 67 @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} 68grep "^;" dig.out.${t} >/dev/null 2>&1 && { 69 echo_i "test $t failed" 70 status=1 71} 72 73echo_i "testing nested ACL processing" 74# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed 75copy_setports ns2/named3.conf.in ns2/named.conf 76rndc_reload ns2 10.53.0.2 77sleep 5 78 79# should succeed 80t=$((t + 1)) 81$DIG $DIGOPTS tsigzone. \ 82 @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} 83grep "^;" dig.out.${t} >/dev/null 2>&1 && { 84 echo_i "test $t failed" 85 status=1 86} 87 88# should succeed 89t=$((t + 1)) 90$DIG $DIGOPTS tsigzone. \ 91 @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} 92grep "^;" dig.out.${t} >/dev/null 2>&1 && { 93 echo_i "test $t failed" 94 status=1 95} 96 97# should succeed 98t=$((t + 1)) 99$DIG $DIGOPTS tsigzone. \ 100 @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} 101grep "^;" dig.out.${t} >/dev/null 2>&1 && { 102 echo_i "test $t failed" 103 status=1 104} 105 106# should succeed 107t=$((t + 1)) 108$DIG $DIGOPTS tsigzone. \ 109 @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} 110grep "^;" dig.out.${t} >/dev/null 2>&1 && { 111 echo_i "test $t failed" 112 status=1 113} 114 115# but only one or the other should fail 116t=$((t + 1)) 117$DIG $DIGOPTS tsigzone. \ 118 @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} 119grep "^;" dig.out.${t} >/dev/null 2>&1 || { 120 echo_i "test $t failed" 121 status=1 122} 123 124t=$((t + 1)) 125$DIG $DIGOPTS tsigzone. \ 126 @10.53.0.2 -b 10.53.0.2 axfr >dig.out.${t} 127grep "^;" dig.out.${t} >/dev/null 2>&1 || { 128 echo_i "test $tt failed" 129 status=1 130} 131 132# and other values? right out 133t=$((t + 1)) 134$DIG $DIGOPTS tsigzone. \ 135 @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" >dig.out.${t} 136grep "^;" dig.out.${t} >/dev/null 2>&1 || { 137 echo_i "test $t failed" 138 status=1 139} 140 141# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two 142copy_setports ns2/named4.conf.in ns2/named.conf 143rndc_reload ns2 10.53.0.2 144sleep 5 145 146# should succeed 147t=$((t + 1)) 148$DIG $DIGOPTS tsigzone. \ 149 @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} 150grep "^;" dig.out.${t} >/dev/null 2>&1 && { 151 echo_i "test $t failed" 152 status=1 153} 154 155# should succeed 156t=$((t + 1)) 157$DIG $DIGOPTS tsigzone. \ 158 @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} 159grep "^;" dig.out.${t} >/dev/null 2>&1 && { 160 echo_i "test $t failed" 161 status=1 162} 163 164# should fail 165t=$((t + 1)) 166$DIG $DIGOPTS tsigzone. \ 167 @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} 168grep "^;" dig.out.${t} >/dev/null 2>&1 || { 169 echo_i "test $t failed" 170 status=1 171} 172 173# should fail 174t=$((t + 1)) 175$DIG $DIGOPTS tsigzone. \ 176 @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} 177grep "^;" dig.out.${t} >/dev/null 2>&1 || { 178 echo_i "test $t failed" 179 status=1 180} 181 182# should fail 183t=$((t + 1)) 184$DIG $DIGOPTS tsigzone. \ 185 @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 >dig.out.${t} 186grep "^;" dig.out.${t} >/dev/null 2>&1 || { 187 echo_i "test $t failed" 188 status=1 189} 190 191echo_i "testing allow-query-on ACL processing" 192copy_setports ns2/named5.conf.in ns2/named.conf 193rndc_reload ns2 10.53.0.2 194sleep 5 195t=$((t + 1)) 196$DIG -p ${PORT} +tcp soa example. \ 197 @10.53.0.2 -b 10.53.0.3 >dig.out.${t} 198grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { 199 echo_i "test $t failed" 200 status=1 201} 202 203echo_i "testing blackhole ACL processing" 204t=$((t + 1)) 205ret=0 206$DIG -p ${PORT} +tcp soa example. \ 207 @10.53.0.2 -b 10.53.0.3 >dig.out.1.${t} 208grep "status: NOERROR" dig.out.1.${t} >/dev/null 2>&1 || ret=1 209$DIG -p ${PORT} +tcp soa example. \ 210 @10.53.0.2 -b 10.53.0.8 >dig.out.2.${t} && ret=1 211grep "status: NOERROR" dig.out.2.${t} >/dev/null 2>&1 && ret=1 212grep "communications error" dig.out.2.${t} >/dev/null 2>&1 || ret=1 213$DIG -p ${PORT} soa example. \ 214 @10.53.0.2 -b 10.53.0.3 >dig.out.3.${t} 215grep "status: NOERROR" dig.out.3.${t} >/dev/null 2>&1 || ret=1 216$DIG -p ${PORT} soa example. \ 217 @10.53.0.2 -b 10.53.0.8 >dig.out.4.${t} && ret=1 218grep "status: NOERROR" dig.out.4.${t} >/dev/null 2>&1 && ret=1 219grep "timed out" dig.out.4.${t} >/dev/null 2>&1 || ret=1 220grep ";; no servers could be reached" dig.out.4.${t} >/dev/null 2>&1 || ret=1 221[ $ret -eq 0 ] || echo_i "failed" 222status=$((status + ret)) 223 224# AXFR tests against ns3 225 226echo_i "testing allow-transfer ACLs against ns3 (no existing zones)" 227 228echo_i "calling addzone example.com on ns3" 229$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; ' 230sleep 1 231 232t=$((t + 1)) 233ret=0 234echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" 235$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1 236grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 237[ $ret -eq 0 ] || echo_i "failed" 238status=$((status + ret)) 239 240echo_i "calling rndc reconfig" 241rndc_reconfig ns3 10.53.0.3 242 243sleep 1 244 245t=$((t + 1)) 246ret=0 247echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" 248$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1 249grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 250[ $ret -eq 0 ] || echo_i "failed" 251status=$((status + ret)) 252 253# AXFR tests against ns4 254 255echo_i "testing allow-transfer ACLs against ns4 (1 pre-existing zone)" 256 257echo_i "calling addzone example.com on ns4" 258$RNDCCMD 10.53.0.4 addzone 'example.com {type primary; file "example.db"; }; ' 259sleep 1 260 261t=$((t + 1)) 262ret=0 263echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" 264$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1 265grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 266[ $ret -eq 0 ] || echo_i "failed" 267status=$((status + ret)) 268 269echo_i "calling rndc reconfig" 270rndc_reconfig ns4 10.53.0.4 271 272sleep 1 273 274t=$((t + 1)) 275ret=0 276echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" 277$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1 278grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 279[ $ret -eq 0 ] || echo_i "failed" 280status=$((status + ret)) 281 282echo_i "exit status: $status" 283[ $status -eq 0 ] || exit 1 284