1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14# Test of allow-query statement.
15# allow-query takes an address match list and can be included in either the
16# options statement or in the zone statement.  This test assumes that the
17# acl tests cover the details of the address match list and uses a limited
18# number of address match test cases to ensure that allow-query finds the
19# expected match.
20# Test list:
21# In options:
22# default (any), any, none, [localhost, localnets],
23# allowed address, not allowed address, denied address,
24# allowed key, not allowed key, denied key
25# allowed acl, not allowed acl, denied acl (acls pointing to addresses)
26#
27# Each of these tests requires changing to a new configuration
28# file and using rndc to update the server
29#
30# In view, with nothing in options (default to any)
31# default (any), any, none, [localhost, localnets],
32# allowed address, not allowed address, denied address,
33# allowed key, not allowed key, denied key
34# allowed acl, not allowed acl, denied acl (acls pointing to addresses)
35#
36# In view, with options set to none, view set to any
37# In view, with options set to any, view set to none
38#
39# In zone, with nothing in options (default to any)
40# any, none, [localhost, localnets],
41# allowed address, denied address,
42# allowed key, not allowed key, denied key
43# allowed acl, not allowed acl, denied acl (acls pointing to addresses),
44#
45# In zone, with options set to none, zone set to any
46# In zone, with options set to any, zone set to none
47# In zone, with view set to none, zone set to any
48# In zone, with view set to any, zone set to none
49#
50# zone types of primary, secondary and stub can be tested in parallel by
51# using multiple instances (ns2 as primary, ns3 as secondary, ns4 as stub)
52# and querying as necessary.
53#
54
55set -e
56
57. ../conf.sh
58
59DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}"
60
61status=0
62n=0
63
64nextpart ns2/named.run >/dev/null
65
66# Test 1 - default, query allowed
67n=$((n + 1))
68echo_i "test $n: default - query allowed"
69ret=0
70$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
71grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
72grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
73if [ $ret != 0 ]; then echo_i "failed"; fi
74status=$((status + ret))
75
76# Test 2 - explicit any, query allowed
77n=$((n + 1))
78copy_setports ns2/named02.conf.in ns2/named.conf
79rndc_reload ns2 10.53.0.2
80
81echo_i "test $n: explicit any - query allowed"
82ret=0
83$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
84grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
85grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
86if [ $ret != 0 ]; then echo_i "failed"; fi
87status=$((status + ret))
88
89# Test 3 - none, query refused
90n=$((n + 1))
91copy_setports ns2/named03.conf.in ns2/named.conf
92rndc_reload ns2 10.53.0.2
93
94echo_i "test $n: none - query refused"
95ret=0
96$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
97grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
98grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
99grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
100nextpart ns2/named.run | grep 'recursion not enabled for view' >/dev/null || ret=1
101if [ $ret != 0 ]; then echo_i "failed"; fi
102status=$((status + ret))
103
104n=$((n + 1))
105DIGNOEDNS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +noedns -p ${PORT}"
106
107echo_i "test $n: none - query refused (no edns)"
108ret=0
109$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
110grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
111grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null && ret=1
112grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
113if [ $ret != 0 ]; then echo_i "failed"; fi
114status=$((status + ret))
115
116# Test 4 - address allowed, query allowed
117n=$((n + 1))
118copy_setports ns2/named04.conf.in ns2/named.conf
119rndc_reload ns2 10.53.0.2
120
121echo_i "test $n: address allowed - query allowed"
122ret=0
123$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
124grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
125grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
126if [ $ret != 0 ]; then echo_i "failed"; fi
127status=$((status + ret))
128
129# Test 5 - address not allowed, query refused
130n=$((n + 1))
131copy_setports ns2/named05.conf.in ns2/named.conf
132rndc_reload ns2 10.53.0.2
133
134echo_i "test $n: address not allowed - query refused"
135ret=0
136$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
137grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
138grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
139grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
140if [ $ret != 0 ]; then echo_i "failed"; fi
141status=$((status + ret))
142
143# Test 6 - address disallowed, query refused
144n=$((n + 1))
145copy_setports ns2/named06.conf.in ns2/named.conf
146rndc_reload ns2 10.53.0.2
147
148echo_i "test $n: address disallowed - query refused"
149ret=0
150$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
151grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
152grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
153grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
154if [ $ret != 0 ]; then echo_i "failed"; fi
155status=$((status + ret))
156
157# Test 7 - acl allowed, query allowed
158n=$((n + 1))
159copy_setports ns2/named07.conf.in ns2/named.conf
160rndc_reload ns2 10.53.0.2
161
162echo_i "test $n: acl allowed - query allowed"
163ret=0
164$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
165grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
166grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
167if [ $ret != 0 ]; then echo_i "failed"; fi
168status=$((status + ret))
169
170# Test 8 - acl not allowed, query refused
171n=$((n + 1))
172copy_setports ns2/named08.conf.in ns2/named.conf
173rndc_reload ns2 10.53.0.2
174
175echo_i "test $n: acl not allowed - query refused"
176ret=0
177$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
178grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
179grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
180grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
181if [ $ret != 0 ]; then echo_i "failed"; fi
182status=$((status + ret))
183
184# Test 9 - acl disallowed, query refused
185n=$((n + 1))
186copy_setports ns2/named09.conf.in ns2/named.conf
187rndc_reload ns2 10.53.0.2
188
189echo_i "test $n: acl disallowed - query refused"
190ret=0
191$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
192grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
193grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
194grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
195if [ $ret != 0 ]; then echo_i "failed"; fi
196status=$((status + ret))
197
198# Test 10 - key allowed, query allowed
199n=$((n + 1))
200copy_setports ns2/named10.conf.in ns2/named.conf
201rndc_reload ns2 10.53.0.2
202
203echo_i "test $n: key allowed - query allowed"
204ret=0
205$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
206grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
207grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
208if [ $ret != 0 ]; then echo_i "failed"; fi
209status=$((status + ret))
210
211# Test 11 - key not allowed, query refused
212n=$((n + 1))
213copy_setports ns2/named11.conf.in ns2/named.conf
214rndc_reload ns2 10.53.0.2
215
216echo_i "test $n: key not allowed - query refused"
217ret=0
218$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1
219grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
220grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
221grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
222if [ $ret != 0 ]; then echo_i "failed"; fi
223status=$((status + ret))
224
225# Test 12 - key disallowed, query refused
226n=$((n + 1))
227copy_setports ns2/named12.conf.in ns2/named.conf
228rndc_reload ns2 10.53.0.2
229
230echo_i "test $n: key disallowed - query refused"
231ret=0
232$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
233grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
234grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
235grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
236if [ $ret != 0 ]; then echo_i "failed"; fi
237status=$((status + ret))
238
239# The next set of tests check if allow-query works in a view
240
241n=20
242# Test 21 - views default, query allowed
243n=$((n + 1))
244copy_setports ns2/named21.conf.in ns2/named.conf
245rndc_reload ns2 10.53.0.2
246
247echo_i "test $n: views default - query allowed"
248ret=0
249$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
250grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
251grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
252if [ $ret != 0 ]; then echo_i "failed"; fi
253status=$((status + ret))
254
255# Test 22 - views explicit any, query allowed
256n=$((n + 1))
257copy_setports ns2/named22.conf.in ns2/named.conf
258rndc_reload ns2 10.53.0.2
259
260echo_i "test $n: views explicit any - query allowed"
261ret=0
262$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
263grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
264grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
265if [ $ret != 0 ]; then echo_i "failed"; fi
266status=$((status + ret))
267
268# Test 23 - views none, query refused
269n=$((n + 1))
270copy_setports ns2/named23.conf.in ns2/named.conf
271rndc_reload ns2 10.53.0.2
272
273echo_i "test $n: views none - query refused"
274ret=0
275$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
276grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
277grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
278grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
279if [ $ret != 0 ]; then echo_i "failed"; fi
280status=$((status + ret))
281
282# Test 24 - views address allowed, query allowed
283n=$((n + 1))
284copy_setports ns2/named24.conf.in ns2/named.conf
285rndc_reload ns2 10.53.0.2
286
287echo_i "test $n: views address allowed - query allowed"
288ret=0
289$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
290grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
291grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
292if [ $ret != 0 ]; then echo_i "failed"; fi
293status=$((status + ret))
294
295# Test 25 - views address not allowed, query refused
296n=$((n + 1))
297copy_setports ns2/named25.conf.in ns2/named.conf
298rndc_reload ns2 10.53.0.2
299
300echo_i "test $n: views address not allowed - query refused"
301ret=0
302$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
303grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
304grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
305grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
306if [ $ret != 0 ]; then echo_i "failed"; fi
307status=$((status + ret))
308
309# Test 26 - views address disallowed, query refused
310n=$((n + 1))
311copy_setports ns2/named26.conf.in ns2/named.conf
312rndc_reload ns2 10.53.0.2
313
314echo_i "test $n: views address disallowed - query refused"
315ret=0
316$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
317grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
318grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
319grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
320if [ $ret != 0 ]; then echo_i "failed"; fi
321status=$((status + ret))
322
323# Test 27 - views acl allowed, query allowed
324n=$((n + 1))
325copy_setports ns2/named27.conf.in ns2/named.conf
326rndc_reload ns2 10.53.0.2
327
328echo_i "test $n: views acl allowed - query allowed"
329ret=0
330$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
331grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
332grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
333if [ $ret != 0 ]; then echo_i "failed"; fi
334status=$((status + ret))
335
336# Test 28 - views acl not allowed, query refused
337n=$((n + 1))
338copy_setports ns2/named28.conf.in ns2/named.conf
339rndc_reload ns2 10.53.0.2
340
341echo_i "test $n: views acl not allowed - query refused"
342ret=0
343$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
344grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
345grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
346grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
347if [ $ret != 0 ]; then echo_i "failed"; fi
348status=$((status + ret))
349
350# Test 29 - views acl disallowed, query refused
351n=$((n + 1))
352copy_setports ns2/named29.conf.in ns2/named.conf
353rndc_reload ns2 10.53.0.2
354
355echo_i "test $n: views acl disallowed - query refused"
356ret=0
357$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
358grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
359grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
360grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
361if [ $ret != 0 ]; then echo_i "failed"; fi
362status=$((status + ret))
363
364# Test 30 - views key allowed, query allowed
365n=$((n + 1))
366copy_setports ns2/named30.conf.in ns2/named.conf
367rndc_reload ns2 10.53.0.2
368
369echo_i "test $n: views key allowed - query allowed"
370ret=0
371$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
372grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
373grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
374if [ $ret != 0 ]; then echo_i "failed"; fi
375status=$((status + ret))
376
377# Test 31 - views key not allowed, query refused
378n=$((n + 1))
379copy_setports ns2/named31.conf.in ns2/named.conf
380rndc_reload ns2 10.53.0.2
381
382echo_i "test $n: views key not allowed - query refused"
383ret=0
384$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1
385grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
386grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
387grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
388if [ $ret != 0 ]; then echo_i "failed"; fi
389status=$((status + ret))
390
391# Test 32 - views key disallowed, query refused
392n=$((n + 1))
393copy_setports ns2/named32.conf.in ns2/named.conf
394rndc_reload ns2 10.53.0.2
395
396echo_i "test $n: views key disallowed - query refused"
397ret=0
398$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
399grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
400grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
401grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
402if [ $ret != 0 ]; then echo_i "failed"; fi
403status=$((status + ret))
404
405# Test 33 - views over options, views allow, query allowed
406n=$((n + 1))
407copy_setports ns2/named33.conf.in ns2/named.conf
408rndc_reload ns2 10.53.0.2
409
410echo_i "test $n: views over options, views allow - query allowed"
411ret=0
412$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
413grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
414grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
415if [ $ret != 0 ]; then echo_i "failed"; fi
416status=$((status + ret))
417
418# Test 34 - views over options, views disallow, query refused
419n=$((n + 1))
420copy_setports ns2/named34.conf.in ns2/named.conf
421rndc_reload ns2 10.53.0.2
422
423echo_i "test $n: views over options, views disallow - query refused"
424ret=0
425$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
426grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
427grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
428grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
429if [ $ret != 0 ]; then echo_i "failed"; fi
430status=$((status + ret))
431
432# Tests for allow-query in the zone statements
433
434n=40
435
436# Test 41 - zone default, query allowed
437n=$((n + 1))
438copy_setports ns2/named40.conf.in ns2/named.conf
439rndc_reload ns2 10.53.0.2
440
441echo_i "test $n: zone default - query allowed"
442ret=0
443$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
444grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
445grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
446if [ $ret != 0 ]; then echo_i "failed"; fi
447status=$((status + ret))
448
449# Test 42 - zone explicit any, query allowed
450n=$((n + 1))
451echo_i "test $n: zone explicit any - query allowed"
452ret=0
453$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a >dig.out.ns2.$n || ret=1
454grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
455grep '^a.any.example' dig.out.ns2.$n >/dev/null || ret=1
456if [ $ret != 0 ]; then echo_i "failed"; fi
457status=$((status + ret))
458
459# Test 43 - zone none, query refused
460n=$((n + 1))
461echo_i "test $n: zone none - query refused"
462ret=0
463$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a >dig.out.ns2.$n || ret=1
464grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
465grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
466grep '^a.none.example' dig.out.ns2.$n >/dev/null && ret=1
467if [ $ret != 0 ]; then echo_i "failed"; fi
468status=$((status + ret))
469
470# Test 44 - zone address allowed, query allowed
471n=$((n + 1))
472echo_i "test $n: zone address allowed - query allowed"
473ret=0
474$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a >dig.out.ns2.$n || ret=1
475grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
476grep '^a.addrallow.example' dig.out.ns2.$n >/dev/null || ret=1
477if [ $ret != 0 ]; then echo_i "failed"; fi
478status=$((status + ret))
479
480# Test 45 - zone address not allowed, query refused
481n=$((n + 1))
482echo_i "test $n: zone address not allowed - query refused"
483ret=0
484$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a >dig.out.ns2.$n || ret=1
485grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
486grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
487grep '^a.addrnotallow.example' dig.out.ns2.$n >/dev/null && ret=1
488if [ $ret != 0 ]; then echo_i "failed"; fi
489status=$((status + ret))
490
491# Test 46 - zone address disallowed, query refused
492n=$((n + 1))
493echo_i "test $n: zone address disallowed - query refused"
494ret=0
495$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a >dig.out.ns2.$n || ret=1
496grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
497grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
498grep '^a.addrdisallow.example' dig.out.ns2.$n >/dev/null && ret=1
499if [ $ret != 0 ]; then echo_i "failed"; fi
500status=$((status + ret))
501
502# Test 47 - zone acl allowed, query allowed
503n=$((n + 1))
504echo_i "test $n: zone acl allowed - query allowed"
505ret=0
506$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a >dig.out.ns2.$n || ret=1
507grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
508grep '^a.aclallow.example' dig.out.ns2.$n >/dev/null || ret=1
509if [ $ret != 0 ]; then echo_i "failed"; fi
510status=$((status + ret))
511
512# Test 48 - zone acl not allowed, query refused
513n=$((n + 1))
514echo_i "test $n: zone acl not allowed - query refused"
515ret=0
516$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.$n || ret=1
517grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
518grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
519grep '^a.aclnotallow.example' dig.out.ns2.$n >/dev/null && ret=1
520if [ $ret != 0 ]; then echo_i "failed"; fi
521status=$((status + ret))
522
523# Test 49 - zone acl disallowed, query refused
524n=$((n + 1))
525echo_i "test $n: zone acl disallowed - query refused"
526ret=0
527$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a >dig.out.ns2.$n || ret=1
528grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
529grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
530grep '^a.acldisallow.example' dig.out.ns2.$n >/dev/null && ret=1
531if [ $ret != 0 ]; then echo_i "failed"; fi
532status=$((status + ret))
533
534# Test 50 - zone key allowed, query allowed
535n=$((n + 1))
536echo_i "test $n: zone key allowed - query allowed"
537ret=0
538$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1
539grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
540grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1
541if [ $ret != 0 ]; then echo_i "failed"; fi
542status=$((status + ret))
543
544# Test 51 - zone key not allowed, query refused
545n=$((n + 1))
546echo_i "test $n: zone key not allowed - query refused"
547ret=0
548$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1
549grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
550grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
551grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1
552if [ $ret != 0 ]; then echo_i "failed"; fi
553status=$((status + ret))
554
555# Test 52 - zone key disallowed, query refused
556n=$((n + 1))
557echo_i "test $n: zone key disallowed - query refused"
558ret=0
559$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1
560grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
561grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
562grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1
563if [ $ret != 0 ]; then echo_i "failed"; fi
564status=$((status + ret))
565
566# Test 53 - zones over options, zones allow, query allowed
567n=$((n + 1))
568copy_setports ns2/named53.conf.in ns2/named.conf
569rndc_reload ns2 10.53.0.2
570
571echo_i "test $n: views over options, views allow - query allowed"
572ret=0
573$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
574grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
575grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
576if [ $ret != 0 ]; then echo_i "failed"; fi
577status=$((status + ret))
578
579# Test 54 - zones over options, zones disallow, query refused
580n=$((n + 1))
581copy_setports ns2/named54.conf.in ns2/named.conf
582rndc_reload ns2 10.53.0.2
583
584echo_i "test $n: views over options, views disallow - query refused"
585ret=0
586$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
587grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
588grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
589grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
590if [ $ret != 0 ]; then echo_i "failed"; fi
591status=$((status + ret))
592
593# Test 55 - zones over views, zones allow, query allowed
594n=$((n + 1))
595copy_setports ns2/named55.conf.in ns2/named.conf
596rndc_reload ns2 10.53.0.2
597
598echo_i "test $n: zones over views, views allow - query allowed"
599ret=0
600$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
601grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
602grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
603if [ $ret != 0 ]; then echo_i "failed"; fi
604status=$((status + ret))
605
606# Test 56 - zones over views, zones disallow, query refused
607n=$((n + 1))
608copy_setports ns2/named56.conf.in ns2/named.conf
609rndc_reload ns2 10.53.0.2
610
611echo_i "test $n: zones over views, views disallow - query refused"
612ret=0
613$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
614grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
615grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
616grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
617if [ $ret != 0 ]; then echo_i "failed"; fi
618status=$((status + ret))
619
620# Test 57 - zones over views, zones disallow, query refused (allow-query-on)
621n=$((n + 1))
622copy_setports ns2/named57.conf.in ns2/named.conf
623rndc_reload ns2 10.53.0.2
624
625echo_i "test $n: zones over views, allow-query-on"
626ret=0
627$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.1.$n || ret=1
628grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1
629grep '^a.normal.example' dig.out.ns2.1.$n >/dev/null || ret=1
630$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.2.$n || ret=1
631grep 'status: REFUSED' dig.out.ns2.2.$n >/dev/null || ret=1
632grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n >/dev/null || ret=1
633grep '^a.aclnotallow.example' dig.out.ns2.2.$n >/dev/null && ret=1
634if [ $ret != 0 ]; then echo_i "failed"; fi
635status=$((status + ret))
636
637# Test 58 - allow-recursion default
638n=$((n + 1))
639echo_i "test $n: default allow-recursion configuration"
640ret=0
641nextpart ns3/named.run >/dev/null
642$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a >dig.out.ns3.1.$n
643grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1
644$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a >dig.out.ns3.2.$n
645grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
646grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
647nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1
648if [ $ret != 0 ]; then echo_i "failed"; fi
649status=$((status + ret))
650
651# Test 59 - allow-query-cache default
652n=$((n + 1))
653echo_i "test $n: default allow-query-cache configuration"
654ret=0
655$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . >dig.out.ns3.1.$n
656grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1
657$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . >dig.out.ns3.2.$n
658grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
659grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
660nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1
661if [ $ret != 0 ]; then echo_i "failed"; fi
662status=$((status + ret))
663
664# Test 60 - block recursion-on, allow query-cache-on
665n=$((n + 1))
666copy_setports ns3/named2.conf.in ns3/named.conf
667rndc_reload ns3 10.53.0.3
668
669echo_i "test $n: block recursion-on, allow query-cache-on"
670ret=0
671# this should query the cache, and an answer should already be there
672$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
673grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1
674grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
675# this should require recursion and therefore can't get an answer
676$DIG -p ${PORT} @10.53.0.3 b.normal.example a >dig.out.ns3.2.$n
677grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
678grep 'ANSWER: 0' dig.out.ns3.2.$n >/dev/null || ret=1
679nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1
680if [ $ret != 0 ]; then echo_i "failed"; fi
681status=$((status + ret))
682
683# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on
684n=$((n + 1))
685copy_setports ns3/named3.conf.in ns3/named.conf
686rndc_reload ns3 10.53.0.3
687
688echo_i "test $n: inheritance of allow-query-cache-on"
689ret=0
690# this should query the cache, an answer should already be there
691$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
692grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
693# this should be refused due to allow-recursion-on/allow-query-cache-on
694$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n
695grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
696grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
697grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
698# this should require recursion and should be allowed
699$DIG -p ${PORT} @10.53.0.3 c.normal.example a >dig.out.ns3.3.$n
700grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1
701# this should require recursion and be refused
702$DIG -p ${PORT} @10.53.1.2 d.normal.example a >dig.out.ns3.4.$n
703grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1
704grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1
705grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1
706nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1
707if [ $ret != 0 ]; then echo_i "failed"; fi
708status=$((status + ret))
709
710# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on
711n=$((n + 1))
712copy_setports ns3/named4.conf.in ns3/named.conf
713rndc_reload ns3 10.53.0.3
714
715echo_i "test $n: inheritance of allow-recursion-on"
716ret=0
717# this should query the cache, an answer should already be there
718$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
719grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
720# this should be refused due to allow-recursion-on/allow-query-cache-on
721$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n
722grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
723grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
724grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
725# this should require recursion and should be allowed
726$DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.3.$n
727grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1
728# this should require recursion and be refused
729$DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.4.$n
730grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1
731grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1
732grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1
733nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1
734if [ $ret != 0 ]; then echo_i "failed"; fi
735status=$((status + ret))
736
737echo_i "exit status: $status"
738[ $status -eq 0 ] || exit 1
739