1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# Test of allow-query statement. 15# allow-query takes an address match list and can be included in either the 16# options statement or in the zone statement. This test assumes that the 17# acl tests cover the details of the address match list and uses a limited 18# number of address match test cases to ensure that allow-query finds the 19# expected match. 20# Test list: 21# In options: 22# default (any), any, none, [localhost, localnets], 23# allowed address, not allowed address, denied address, 24# allowed key, not allowed key, denied key 25# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 26# 27# Each of these tests requires changing to a new configuration 28# file and using rndc to update the server 29# 30# In view, with nothing in options (default to any) 31# default (any), any, none, [localhost, localnets], 32# allowed address, not allowed address, denied address, 33# allowed key, not allowed key, denied key 34# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 35# 36# In view, with options set to none, view set to any 37# In view, with options set to any, view set to none 38# 39# In zone, with nothing in options (default to any) 40# any, none, [localhost, localnets], 41# allowed address, denied address, 42# allowed key, not allowed key, denied key 43# allowed acl, not allowed acl, denied acl (acls pointing to addresses), 44# 45# In zone, with options set to none, zone set to any 46# In zone, with options set to any, zone set to none 47# In zone, with view set to none, zone set to any 48# In zone, with view set to any, zone set to none 49# 50# zone types of primary, secondary and stub can be tested in parallel by 51# using multiple instances (ns2 as primary, ns3 as secondary, ns4 as stub) 52# and querying as necessary. 53# 54 55set -e 56 57. ../conf.sh 58 59DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" 60 61status=0 62n=0 63 64nextpart ns2/named.run >/dev/null 65 66# Test 1 - default, query allowed 67n=$((n + 1)) 68echo_i "test $n: default - query allowed" 69ret=0 70$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 71grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 72grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 73if [ $ret != 0 ]; then echo_i "failed"; fi 74status=$((status + ret)) 75 76# Test 2 - explicit any, query allowed 77n=$((n + 1)) 78copy_setports ns2/named02.conf.in ns2/named.conf 79rndc_reload ns2 10.53.0.2 80 81echo_i "test $n: explicit any - query allowed" 82ret=0 83$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 84grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 85grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 86if [ $ret != 0 ]; then echo_i "failed"; fi 87status=$((status + ret)) 88 89# Test 3 - none, query refused 90n=$((n + 1)) 91copy_setports ns2/named03.conf.in ns2/named.conf 92rndc_reload ns2 10.53.0.2 93 94echo_i "test $n: none - query refused" 95ret=0 96$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 97grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 98grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 99grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 100nextpart ns2/named.run | grep 'recursion not enabled for view' >/dev/null || ret=1 101if [ $ret != 0 ]; then echo_i "failed"; fi 102status=$((status + ret)) 103 104n=$((n + 1)) 105DIGNOEDNS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +noedns -p ${PORT}" 106 107echo_i "test $n: none - query refused (no edns)" 108ret=0 109$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 110grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 111grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null && ret=1 112grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 113if [ $ret != 0 ]; then echo_i "failed"; fi 114status=$((status + ret)) 115 116# Test 4 - address allowed, query allowed 117n=$((n + 1)) 118copy_setports ns2/named04.conf.in ns2/named.conf 119rndc_reload ns2 10.53.0.2 120 121echo_i "test $n: address allowed - query allowed" 122ret=0 123$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 124grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 125grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 126if [ $ret != 0 ]; then echo_i "failed"; fi 127status=$((status + ret)) 128 129# Test 5 - address not allowed, query refused 130n=$((n + 1)) 131copy_setports ns2/named05.conf.in ns2/named.conf 132rndc_reload ns2 10.53.0.2 133 134echo_i "test $n: address not allowed - query refused" 135ret=0 136$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 137grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 138grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 139grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 140if [ $ret != 0 ]; then echo_i "failed"; fi 141status=$((status + ret)) 142 143# Test 6 - address disallowed, query refused 144n=$((n + 1)) 145copy_setports ns2/named06.conf.in ns2/named.conf 146rndc_reload ns2 10.53.0.2 147 148echo_i "test $n: address disallowed - query refused" 149ret=0 150$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 151grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 152grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 153grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 154if [ $ret != 0 ]; then echo_i "failed"; fi 155status=$((status + ret)) 156 157# Test 7 - acl allowed, query allowed 158n=$((n + 1)) 159copy_setports ns2/named07.conf.in ns2/named.conf 160rndc_reload ns2 10.53.0.2 161 162echo_i "test $n: acl allowed - query allowed" 163ret=0 164$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 165grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 166grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 167if [ $ret != 0 ]; then echo_i "failed"; fi 168status=$((status + ret)) 169 170# Test 8 - acl not allowed, query refused 171n=$((n + 1)) 172copy_setports ns2/named08.conf.in ns2/named.conf 173rndc_reload ns2 10.53.0.2 174 175echo_i "test $n: acl not allowed - query refused" 176ret=0 177$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 178grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 179grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 180grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 181if [ $ret != 0 ]; then echo_i "failed"; fi 182status=$((status + ret)) 183 184# Test 9 - acl disallowed, query refused 185n=$((n + 1)) 186copy_setports ns2/named09.conf.in ns2/named.conf 187rndc_reload ns2 10.53.0.2 188 189echo_i "test $n: acl disallowed - query refused" 190ret=0 191$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 192grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 193grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 194grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 195if [ $ret != 0 ]; then echo_i "failed"; fi 196status=$((status + ret)) 197 198# Test 10 - key allowed, query allowed 199n=$((n + 1)) 200copy_setports ns2/named10.conf.in ns2/named.conf 201rndc_reload ns2 10.53.0.2 202 203echo_i "test $n: key allowed - query allowed" 204ret=0 205$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 206grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 207grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 208if [ $ret != 0 ]; then echo_i "failed"; fi 209status=$((status + ret)) 210 211# Test 11 - key not allowed, query refused 212n=$((n + 1)) 213copy_setports ns2/named11.conf.in ns2/named.conf 214rndc_reload ns2 10.53.0.2 215 216echo_i "test $n: key not allowed - query refused" 217ret=0 218$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 219grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 220grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 221grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 222if [ $ret != 0 ]; then echo_i "failed"; fi 223status=$((status + ret)) 224 225# Test 12 - key disallowed, query refused 226n=$((n + 1)) 227copy_setports ns2/named12.conf.in ns2/named.conf 228rndc_reload ns2 10.53.0.2 229 230echo_i "test $n: key disallowed - query refused" 231ret=0 232$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 233grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 234grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 235grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 236if [ $ret != 0 ]; then echo_i "failed"; fi 237status=$((status + ret)) 238 239# The next set of tests check if allow-query works in a view 240 241n=20 242# Test 21 - views default, query allowed 243n=$((n + 1)) 244copy_setports ns2/named21.conf.in ns2/named.conf 245rndc_reload ns2 10.53.0.2 246 247echo_i "test $n: views default - query allowed" 248ret=0 249$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 250grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 251grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 252if [ $ret != 0 ]; then echo_i "failed"; fi 253status=$((status + ret)) 254 255# Test 22 - views explicit any, query allowed 256n=$((n + 1)) 257copy_setports ns2/named22.conf.in ns2/named.conf 258rndc_reload ns2 10.53.0.2 259 260echo_i "test $n: views explicit any - query allowed" 261ret=0 262$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 263grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 264grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 265if [ $ret != 0 ]; then echo_i "failed"; fi 266status=$((status + ret)) 267 268# Test 23 - views none, query refused 269n=$((n + 1)) 270copy_setports ns2/named23.conf.in ns2/named.conf 271rndc_reload ns2 10.53.0.2 272 273echo_i "test $n: views none - query refused" 274ret=0 275$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 276grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 277grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 278grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 279if [ $ret != 0 ]; then echo_i "failed"; fi 280status=$((status + ret)) 281 282# Test 24 - views address allowed, query allowed 283n=$((n + 1)) 284copy_setports ns2/named24.conf.in ns2/named.conf 285rndc_reload ns2 10.53.0.2 286 287echo_i "test $n: views address allowed - query allowed" 288ret=0 289$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 290grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 291grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 292if [ $ret != 0 ]; then echo_i "failed"; fi 293status=$((status + ret)) 294 295# Test 25 - views address not allowed, query refused 296n=$((n + 1)) 297copy_setports ns2/named25.conf.in ns2/named.conf 298rndc_reload ns2 10.53.0.2 299 300echo_i "test $n: views address not allowed - query refused" 301ret=0 302$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 303grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 304grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 305grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 306if [ $ret != 0 ]; then echo_i "failed"; fi 307status=$((status + ret)) 308 309# Test 26 - views address disallowed, query refused 310n=$((n + 1)) 311copy_setports ns2/named26.conf.in ns2/named.conf 312rndc_reload ns2 10.53.0.2 313 314echo_i "test $n: views address disallowed - query refused" 315ret=0 316$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 317grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 318grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 319grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 320if [ $ret != 0 ]; then echo_i "failed"; fi 321status=$((status + ret)) 322 323# Test 27 - views acl allowed, query allowed 324n=$((n + 1)) 325copy_setports ns2/named27.conf.in ns2/named.conf 326rndc_reload ns2 10.53.0.2 327 328echo_i "test $n: views acl allowed - query allowed" 329ret=0 330$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 331grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 332grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 333if [ $ret != 0 ]; then echo_i "failed"; fi 334status=$((status + ret)) 335 336# Test 28 - views acl not allowed, query refused 337n=$((n + 1)) 338copy_setports ns2/named28.conf.in ns2/named.conf 339rndc_reload ns2 10.53.0.2 340 341echo_i "test $n: views acl not allowed - query refused" 342ret=0 343$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 344grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 345grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 346grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 347if [ $ret != 0 ]; then echo_i "failed"; fi 348status=$((status + ret)) 349 350# Test 29 - views acl disallowed, query refused 351n=$((n + 1)) 352copy_setports ns2/named29.conf.in ns2/named.conf 353rndc_reload ns2 10.53.0.2 354 355echo_i "test $n: views acl disallowed - query refused" 356ret=0 357$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 358grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 359grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 360grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 361if [ $ret != 0 ]; then echo_i "failed"; fi 362status=$((status + ret)) 363 364# Test 30 - views key allowed, query allowed 365n=$((n + 1)) 366copy_setports ns2/named30.conf.in ns2/named.conf 367rndc_reload ns2 10.53.0.2 368 369echo_i "test $n: views key allowed - query allowed" 370ret=0 371$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 372grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 373grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 374if [ $ret != 0 ]; then echo_i "failed"; fi 375status=$((status + ret)) 376 377# Test 31 - views key not allowed, query refused 378n=$((n + 1)) 379copy_setports ns2/named31.conf.in ns2/named.conf 380rndc_reload ns2 10.53.0.2 381 382echo_i "test $n: views key not allowed - query refused" 383ret=0 384$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 385grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 386grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 387grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 388if [ $ret != 0 ]; then echo_i "failed"; fi 389status=$((status + ret)) 390 391# Test 32 - views key disallowed, query refused 392n=$((n + 1)) 393copy_setports ns2/named32.conf.in ns2/named.conf 394rndc_reload ns2 10.53.0.2 395 396echo_i "test $n: views key disallowed - query refused" 397ret=0 398$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 399grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 400grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 401grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 402if [ $ret != 0 ]; then echo_i "failed"; fi 403status=$((status + ret)) 404 405# Test 33 - views over options, views allow, query allowed 406n=$((n + 1)) 407copy_setports ns2/named33.conf.in ns2/named.conf 408rndc_reload ns2 10.53.0.2 409 410echo_i "test $n: views over options, views allow - query allowed" 411ret=0 412$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 413grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 414grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 415if [ $ret != 0 ]; then echo_i "failed"; fi 416status=$((status + ret)) 417 418# Test 34 - views over options, views disallow, query refused 419n=$((n + 1)) 420copy_setports ns2/named34.conf.in ns2/named.conf 421rndc_reload ns2 10.53.0.2 422 423echo_i "test $n: views over options, views disallow - query refused" 424ret=0 425$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 426grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 427grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 428grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 429if [ $ret != 0 ]; then echo_i "failed"; fi 430status=$((status + ret)) 431 432# Tests for allow-query in the zone statements 433 434n=40 435 436# Test 41 - zone default, query allowed 437n=$((n + 1)) 438copy_setports ns2/named40.conf.in ns2/named.conf 439rndc_reload ns2 10.53.0.2 440 441echo_i "test $n: zone default - query allowed" 442ret=0 443$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 444grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 445grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 446if [ $ret != 0 ]; then echo_i "failed"; fi 447status=$((status + ret)) 448 449# Test 42 - zone explicit any, query allowed 450n=$((n + 1)) 451echo_i "test $n: zone explicit any - query allowed" 452ret=0 453$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a >dig.out.ns2.$n || ret=1 454grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 455grep '^a.any.example' dig.out.ns2.$n >/dev/null || ret=1 456if [ $ret != 0 ]; then echo_i "failed"; fi 457status=$((status + ret)) 458 459# Test 43 - zone none, query refused 460n=$((n + 1)) 461echo_i "test $n: zone none - query refused" 462ret=0 463$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a >dig.out.ns2.$n || ret=1 464grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 465grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 466grep '^a.none.example' dig.out.ns2.$n >/dev/null && ret=1 467if [ $ret != 0 ]; then echo_i "failed"; fi 468status=$((status + ret)) 469 470# Test 44 - zone address allowed, query allowed 471n=$((n + 1)) 472echo_i "test $n: zone address allowed - query allowed" 473ret=0 474$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a >dig.out.ns2.$n || ret=1 475grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 476grep '^a.addrallow.example' dig.out.ns2.$n >/dev/null || ret=1 477if [ $ret != 0 ]; then echo_i "failed"; fi 478status=$((status + ret)) 479 480# Test 45 - zone address not allowed, query refused 481n=$((n + 1)) 482echo_i "test $n: zone address not allowed - query refused" 483ret=0 484$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a >dig.out.ns2.$n || ret=1 485grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 486grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 487grep '^a.addrnotallow.example' dig.out.ns2.$n >/dev/null && ret=1 488if [ $ret != 0 ]; then echo_i "failed"; fi 489status=$((status + ret)) 490 491# Test 46 - zone address disallowed, query refused 492n=$((n + 1)) 493echo_i "test $n: zone address disallowed - query refused" 494ret=0 495$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a >dig.out.ns2.$n || ret=1 496grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 497grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 498grep '^a.addrdisallow.example' dig.out.ns2.$n >/dev/null && ret=1 499if [ $ret != 0 ]; then echo_i "failed"; fi 500status=$((status + ret)) 501 502# Test 47 - zone acl allowed, query allowed 503n=$((n + 1)) 504echo_i "test $n: zone acl allowed - query allowed" 505ret=0 506$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a >dig.out.ns2.$n || ret=1 507grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 508grep '^a.aclallow.example' dig.out.ns2.$n >/dev/null || ret=1 509if [ $ret != 0 ]; then echo_i "failed"; fi 510status=$((status + ret)) 511 512# Test 48 - zone acl not allowed, query refused 513n=$((n + 1)) 514echo_i "test $n: zone acl not allowed - query refused" 515ret=0 516$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.$n || ret=1 517grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 518grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 519grep '^a.aclnotallow.example' dig.out.ns2.$n >/dev/null && ret=1 520if [ $ret != 0 ]; then echo_i "failed"; fi 521status=$((status + ret)) 522 523# Test 49 - zone acl disallowed, query refused 524n=$((n + 1)) 525echo_i "test $n: zone acl disallowed - query refused" 526ret=0 527$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a >dig.out.ns2.$n || ret=1 528grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 529grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 530grep '^a.acldisallow.example' dig.out.ns2.$n >/dev/null && ret=1 531if [ $ret != 0 ]; then echo_i "failed"; fi 532status=$((status + ret)) 533 534# Test 50 - zone key allowed, query allowed 535n=$((n + 1)) 536echo_i "test $n: zone key allowed - query allowed" 537ret=0 538$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 539grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 540grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1 541if [ $ret != 0 ]; then echo_i "failed"; fi 542status=$((status + ret)) 543 544# Test 51 - zone key not allowed, query refused 545n=$((n + 1)) 546echo_i "test $n: zone key not allowed - query refused" 547ret=0 548$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 549grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 550grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 551grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1 552if [ $ret != 0 ]; then echo_i "failed"; fi 553status=$((status + ret)) 554 555# Test 52 - zone key disallowed, query refused 556n=$((n + 1)) 557echo_i "test $n: zone key disallowed - query refused" 558ret=0 559$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1 560grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 561grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 562grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1 563if [ $ret != 0 ]; then echo_i "failed"; fi 564status=$((status + ret)) 565 566# Test 53 - zones over options, zones allow, query allowed 567n=$((n + 1)) 568copy_setports ns2/named53.conf.in ns2/named.conf 569rndc_reload ns2 10.53.0.2 570 571echo_i "test $n: views over options, views allow - query allowed" 572ret=0 573$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 574grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 575grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 576if [ $ret != 0 ]; then echo_i "failed"; fi 577status=$((status + ret)) 578 579# Test 54 - zones over options, zones disallow, query refused 580n=$((n + 1)) 581copy_setports ns2/named54.conf.in ns2/named.conf 582rndc_reload ns2 10.53.0.2 583 584echo_i "test $n: views over options, views disallow - query refused" 585ret=0 586$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 587grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 588grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 589grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 590if [ $ret != 0 ]; then echo_i "failed"; fi 591status=$((status + ret)) 592 593# Test 55 - zones over views, zones allow, query allowed 594n=$((n + 1)) 595copy_setports ns2/named55.conf.in ns2/named.conf 596rndc_reload ns2 10.53.0.2 597 598echo_i "test $n: zones over views, views allow - query allowed" 599ret=0 600$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 601grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 602grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 603if [ $ret != 0 ]; then echo_i "failed"; fi 604status=$((status + ret)) 605 606# Test 56 - zones over views, zones disallow, query refused 607n=$((n + 1)) 608copy_setports ns2/named56.conf.in ns2/named.conf 609rndc_reload ns2 10.53.0.2 610 611echo_i "test $n: zones over views, views disallow - query refused" 612ret=0 613$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 614grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 615grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 616grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 617if [ $ret != 0 ]; then echo_i "failed"; fi 618status=$((status + ret)) 619 620# Test 57 - zones over views, zones disallow, query refused (allow-query-on) 621n=$((n + 1)) 622copy_setports ns2/named57.conf.in ns2/named.conf 623rndc_reload ns2 10.53.0.2 624 625echo_i "test $n: zones over views, allow-query-on" 626ret=0 627$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.1.$n || ret=1 628grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1 629grep '^a.normal.example' dig.out.ns2.1.$n >/dev/null || ret=1 630$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.2.$n || ret=1 631grep 'status: REFUSED' dig.out.ns2.2.$n >/dev/null || ret=1 632grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n >/dev/null || ret=1 633grep '^a.aclnotallow.example' dig.out.ns2.2.$n >/dev/null && ret=1 634if [ $ret != 0 ]; then echo_i "failed"; fi 635status=$((status + ret)) 636 637# Test 58 - allow-recursion default 638n=$((n + 1)) 639echo_i "test $n: default allow-recursion configuration" 640ret=0 641nextpart ns3/named.run >/dev/null 642$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a >dig.out.ns3.1.$n 643grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1 644$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a >dig.out.ns3.2.$n 645grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 646grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 647nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1 648if [ $ret != 0 ]; then echo_i "failed"; fi 649status=$((status + ret)) 650 651# Test 59 - allow-query-cache default 652n=$((n + 1)) 653echo_i "test $n: default allow-query-cache configuration" 654ret=0 655$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . >dig.out.ns3.1.$n 656grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1 657$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . >dig.out.ns3.2.$n 658grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 659grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 660nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1 661if [ $ret != 0 ]; then echo_i "failed"; fi 662status=$((status + ret)) 663 664# Test 60 - block recursion-on, allow query-cache-on 665n=$((n + 1)) 666copy_setports ns3/named2.conf.in ns3/named.conf 667rndc_reload ns3 10.53.0.3 668 669echo_i "test $n: block recursion-on, allow query-cache-on" 670ret=0 671# this should query the cache, and an answer should already be there 672$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n 673grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1 674grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 675# this should require recursion and therefore can't get an answer 676$DIG -p ${PORT} @10.53.0.3 b.normal.example a >dig.out.ns3.2.$n 677grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 678grep 'ANSWER: 0' dig.out.ns3.2.$n >/dev/null || ret=1 679nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 680if [ $ret != 0 ]; then echo_i "failed"; fi 681status=$((status + ret)) 682 683# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on 684n=$((n + 1)) 685copy_setports ns3/named3.conf.in ns3/named.conf 686rndc_reload ns3 10.53.0.3 687 688echo_i "test $n: inheritance of allow-query-cache-on" 689ret=0 690# this should query the cache, an answer should already be there 691$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n 692grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 693# this should be refused due to allow-recursion-on/allow-query-cache-on 694$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n 695grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 696grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 697grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 698# this should require recursion and should be allowed 699$DIG -p ${PORT} @10.53.0.3 c.normal.example a >dig.out.ns3.3.$n 700grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1 701# this should require recursion and be refused 702$DIG -p ${PORT} @10.53.1.2 d.normal.example a >dig.out.ns3.4.$n 703grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1 704grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1 705grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1 706nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 707if [ $ret != 0 ]; then echo_i "failed"; fi 708status=$((status + ret)) 709 710# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on 711n=$((n + 1)) 712copy_setports ns3/named4.conf.in ns3/named.conf 713rndc_reload ns3 10.53.0.3 714 715echo_i "test $n: inheritance of allow-recursion-on" 716ret=0 717# this should query the cache, an answer should already be there 718$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n 719grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 720# this should be refused due to allow-recursion-on/allow-query-cache-on 721$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n 722grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 723grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 724grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 725# this should require recursion and should be allowed 726$DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.3.$n 727grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1 728# this should require recursion and be refused 729$DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.4.$n 730grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1 731grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1 732grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1 733nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 734if [ $ret != 0 ]; then echo_i "failed"; fi 735status=$((status + ret)) 736 737echo_i "exit status: $status" 738[ $status -eq 0 ] || exit 1 739