tests.sh revision 1.1.1.2 
1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12# Test of allow-query statement.
13# allow-query takes an address match list and can be included in either the
14# options statement or in the zone statement.  This test assumes that the
15# acl tests cover the details of the address match list and uses a limited
16# number of address match test cases to ensure that allow-query finds the
17# expected match.
18# Test list:
19# In options:
20# default (any), any, none, [localhost, localnets],
21# allowed address, not allowed address, denied address,
22# allowed key, not allowed key, denied key
23# allowed acl, not allowed acl, denied acl (acls pointing to addresses)
24#
25# Each of these tests requires changing to a new configuration
26# file and using rndc to update the server
27#
28# In view, with nothing in options (default to any)
29# default (any), any, none, [localhost, localnets],
30# allowed address, not allowed address, denied address,
31# allowed key, not allowed key, denied key
32# allowed acl, not allowed acl, denied acl (acls pointing to addresses)
33#
34# In view, with options set to none, view set to any
35# In view, with options set to any, view set to none
36#
37# In zone, with nothing in options (default to any)
38# any, none, [localhost, localnets],
39# allowed address, denied address,
40# allowed key, not allowed key, denied key
41# allowed acl, not allowed acl, denied acl (acls pointing to addresses),
42#
43# In zone, with options set to none, zone set to any
44# In zone, with options set to any, zone set to none
45# In zone, with view set to none, zone set to any
46# In zone, with view set to any, zone set to none
47#
48# zone types of master, slave and stub can be tested in parallel by using
49# multiple instances (ns2 as master, ns3 as slave, ns4 as stub) and querying
50# as necessary.
51#
52
53SYSTEMTESTTOP=..
54. $SYSTEMTESTTOP/conf.sh
55
56DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}"
57
58rndc_reload() {
59    echo_i "`$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload 2>&1 | sed 's/^/'$1' /'`"
60    for try in 0 1 2 3 4 5 6 7 8 9; do
61        nextpart $1/named.run | grep "reloading configuration succeeded" > /dev/null && break
62        sleep 1
63    done
64}
65
66status=0
67n=0
68
69nextpart ns2/named.run > /dev/null
70
71# Test 1 - default, query allowed
72n=`expr $n + 1`
73echo_i "test $n: default - query allowed"
74ret=0
75$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
76grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
77grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
78if [ $ret != 0 ]; then echo_i "failed"; fi
79status=`expr $status + $ret`
80
81# Test 2 - explicit any, query allowed
82n=`expr $n + 1`
83copy_setports ns2/named02.conf.in ns2/named.conf
84rndc_reload ns2 10.53.0.2
85
86echo_i "test $n: explicit any - query allowed"
87ret=0
88$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
89grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
90grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
91if [ $ret != 0 ]; then echo_i "failed"; fi
92status=`expr $status + $ret`
93
94# Test 3 - none, query refused
95n=`expr $n + 1`
96copy_setports ns2/named03.conf.in ns2/named.conf
97rndc_reload ns2 10.53.0.2
98
99echo_i "test $n: none - query refused"
100ret=0
101$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
102grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
103grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
104if [ $ret != 0 ]; then echo_i "failed"; fi
105status=`expr $status + $ret`
106
107# Test 4 - address allowed, query allowed
108n=`expr $n + 1`
109copy_setports ns2/named04.conf.in ns2/named.conf
110rndc_reload ns2 10.53.0.2
111
112echo_i "test $n: address allowed - query allowed"
113ret=0
114$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
115grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
116grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
117if [ $ret != 0 ]; then echo_i "failed"; fi
118status=`expr $status + $ret`
119
120# Test 5 - address not allowed, query refused
121n=`expr $n + 1`
122copy_setports ns2/named05.conf.in ns2/named.conf
123rndc_reload ns2 10.53.0.2
124
125echo_i "test $n: address not allowed - query refused"
126ret=0
127$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
128grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
129grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
130if [ $ret != 0 ]; then echo_i "failed"; fi
131status=`expr $status + $ret`
132
133# Test 6 - address disallowed, query refused
134n=`expr $n + 1`
135copy_setports ns2/named06.conf.in ns2/named.conf
136rndc_reload ns2 10.53.0.2
137
138echo_i "test $n: address disallowed - query refused"
139ret=0
140$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
141grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
142grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
143if [ $ret != 0 ]; then echo_i "failed"; fi
144status=`expr $status + $ret`
145
146# Test 7 - acl allowed, query allowed
147n=`expr $n + 1`
148copy_setports ns2/named07.conf.in ns2/named.conf
149rndc_reload ns2 10.53.0.2
150
151echo_i "test $n: acl allowed - query allowed"
152ret=0
153$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
154grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
155grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
156if [ $ret != 0 ]; then echo_i "failed"; fi
157status=`expr $status + $ret`
158
159# Test 8 - acl not allowed, query refused
160n=`expr $n + 1`
161copy_setports ns2/named08.conf.in ns2/named.conf
162rndc_reload ns2 10.53.0.2
163
164echo_i "test $n: acl not allowed - query refused"
165ret=0
166$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
167grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
168grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
169if [ $ret != 0 ]; then echo_i "failed"; fi
170status=`expr $status + $ret`
171
172
173# Test 9 - acl disallowed, query refused
174n=`expr $n + 1`
175copy_setports ns2/named09.conf.in ns2/named.conf
176rndc_reload ns2 10.53.0.2
177
178echo_i "test $n: acl disallowed - query refused"
179ret=0
180$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
181grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
182grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
183if [ $ret != 0 ]; then echo_i "failed"; fi
184status=`expr $status + $ret`
185
186# Test 10 - key allowed, query allowed
187n=`expr $n + 1`
188copy_setports ns2/named10.conf.in ns2/named.conf
189rndc_reload ns2 10.53.0.2
190
191echo_i "test $n: key allowed - query allowed"
192ret=0
193$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
194grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
195grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
196if [ $ret != 0 ]; then echo_i "failed"; fi
197status=`expr $status + $ret`
198
199# Test 11 - key not allowed, query refused
200n=`expr $n + 1`
201copy_setports ns2/named11.conf.in ns2/named.conf
202rndc_reload ns2 10.53.0.2
203
204echo_i "test $n: key not allowed - query refused"
205ret=0
206$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
207grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
208grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
209if [ $ret != 0 ]; then echo_i "failed"; fi
210status=`expr $status + $ret`
211
212# Test 12 - key disallowed, query refused
213n=`expr $n + 1`
214copy_setports ns2/named12.conf.in ns2/named.conf
215rndc_reload ns2 10.53.0.2
216
217echo_i "test $n: key disallowed - query refused"
218ret=0
219$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
220grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
221grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
222if [ $ret != 0 ]; then echo_i "failed"; fi
223status=`expr $status + $ret`
224
225# The next set of tests check if allow-query works in a view
226
227n=20
228# Test 21 - views default, query allowed
229n=`expr $n + 1`
230copy_setports ns2/named21.conf.in ns2/named.conf
231rndc_reload ns2 10.53.0.2
232
233echo_i "test $n: views default - query allowed"
234ret=0
235$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
236grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
237grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
238if [ $ret != 0 ]; then echo_i "failed"; fi
239status=`expr $status + $ret`
240
241# Test 22 - views explicit any, query allowed
242n=`expr $n + 1`
243copy_setports ns2/named22.conf.in ns2/named.conf
244rndc_reload ns2 10.53.0.2
245
246echo_i "test $n: views explicit any - query allowed"
247ret=0
248$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
249grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
250grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
251if [ $ret != 0 ]; then echo_i "failed"; fi
252status=`expr $status + $ret`
253
254# Test 23 - views none, query refused
255n=`expr $n + 1`
256copy_setports ns2/named23.conf.in ns2/named.conf
257rndc_reload ns2 10.53.0.2
258
259echo_i "test $n: views none - query refused"
260ret=0
261$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
262grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
263grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
264if [ $ret != 0 ]; then echo_i "failed"; fi
265status=`expr $status + $ret`
266
267# Test 24 - views address allowed, query allowed
268n=`expr $n + 1`
269copy_setports ns2/named24.conf.in ns2/named.conf
270rndc_reload ns2 10.53.0.2
271
272echo_i "test $n: views address allowed - query allowed"
273ret=0
274$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
275grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
276grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
277if [ $ret != 0 ]; then echo_i "failed"; fi
278status=`expr $status + $ret`
279
280# Test 25 - views address not allowed, query refused
281n=`expr $n + 1`
282copy_setports ns2/named25.conf.in ns2/named.conf
283rndc_reload ns2 10.53.0.2
284
285echo_i "test $n: views address not allowed - query refused"
286ret=0
287$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
288grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
289grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
290if [ $ret != 0 ]; then echo_i "failed"; fi
291status=`expr $status + $ret`
292
293# Test 26 - views address disallowed, query refused
294n=`expr $n + 1`
295copy_setports ns2/named26.conf.in ns2/named.conf
296rndc_reload ns2 10.53.0.2
297
298echo_i "test $n: views address disallowed - query refused"
299ret=0
300$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
301grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
302grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
303if [ $ret != 0 ]; then echo_i "failed"; fi
304status=`expr $status + $ret`
305
306# Test 27 - views acl allowed, query allowed
307n=`expr $n + 1`
308copy_setports ns2/named27.conf.in ns2/named.conf
309rndc_reload ns2 10.53.0.2
310
311echo_i "test $n: views acl allowed - query allowed"
312ret=0
313$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
314grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
315grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
316if [ $ret != 0 ]; then echo_i "failed"; fi
317status=`expr $status + $ret`
318
319# Test 28 - views acl not allowed, query refused
320n=`expr $n + 1`
321copy_setports ns2/named28.conf.in ns2/named.conf
322rndc_reload ns2 10.53.0.2
323
324echo_i "test $n: views acl not allowed - query refused"
325ret=0
326$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
327grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
328grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
329if [ $ret != 0 ]; then echo_i "failed"; fi
330status=`expr $status + $ret`
331
332# Test 29 - views acl disallowed, query refused
333n=`expr $n + 1`
334copy_setports ns2/named29.conf.in ns2/named.conf
335rndc_reload ns2 10.53.0.2
336
337echo_i "test $n: views acl disallowed - query refused"
338ret=0
339$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
340grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
341grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
342if [ $ret != 0 ]; then echo_i "failed"; fi
343status=`expr $status + $ret`
344
345# Test 30 - views key allowed, query allowed
346n=`expr $n + 1`
347copy_setports ns2/named30.conf.in ns2/named.conf
348rndc_reload ns2 10.53.0.2
349
350echo_i "test $n: views key allowed - query allowed"
351ret=0
352$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
353grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
354grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
355if [ $ret != 0 ]; then echo_i "failed"; fi
356status=`expr $status + $ret`
357
358# Test 31 - views key not allowed, query refused
359n=`expr $n + 1`
360copy_setports ns2/named31.conf.in ns2/named.conf
361rndc_reload ns2 10.53.0.2
362
363echo_i "test $n: views key not allowed - query refused"
364ret=0
365$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
366grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
367grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
368if [ $ret != 0 ]; then echo_i "failed"; fi
369status=`expr $status + $ret`
370
371# Test 32 - views key disallowed, query refused
372n=`expr $n + 1`
373copy_setports ns2/named32.conf.in ns2/named.conf
374rndc_reload ns2 10.53.0.2
375
376echo_i "test $n: views key disallowed - query refused"
377ret=0
378$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
379grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
380grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
381if [ $ret != 0 ]; then echo_i "failed"; fi
382status=`expr $status + $ret`
383
384# Test 33 - views over options, views allow, query allowed
385n=`expr $n + 1`
386copy_setports ns2/named33.conf.in ns2/named.conf
387rndc_reload ns2 10.53.0.2
388
389echo_i "test $n: views over options, views allow - query allowed"
390ret=0
391$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
392grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
393grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
394if [ $ret != 0 ]; then echo_i "failed"; fi
395status=`expr $status + $ret`
396
397# Test 34 - views over options, views disallow, query refused
398n=`expr $n + 1`
399copy_setports ns2/named34.conf.in ns2/named.conf
400rndc_reload ns2 10.53.0.2
401
402echo_i "test $n: views over options, views disallow - query refused"
403ret=0
404$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
405grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
406grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
407if [ $ret != 0 ]; then echo_i "failed"; fi
408status=`expr $status + $ret`
409
410# Tests for allow-query in the zone statements
411
412n=40
413
414# Test 41 - zone default, query allowed
415n=`expr $n + 1`
416copy_setports ns2/named40.conf.in ns2/named.conf
417rndc_reload ns2 10.53.0.2
418
419echo_i "test $n: zone default - query allowed"
420ret=0
421$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
422grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
423grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
424if [ $ret != 0 ]; then echo_i "failed"; fi
425status=`expr $status + $ret`
426
427# Test 42 - zone explicit any, query allowed
428n=`expr $n + 1`
429echo_i "test $n: zone explicit any - query allowed"
430ret=0
431$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
432grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
433grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1
434if [ $ret != 0 ]; then echo_i "failed"; fi
435status=`expr $status + $ret`
436
437# Test 43 - zone none, query refused
438n=`expr $n + 1`
439echo_i "test $n: zone none - query refused"
440ret=0
441$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
442grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
443grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
444if [ $ret != 0 ]; then echo_i "failed"; fi
445status=`expr $status + $ret`
446
447# Test 44 - zone address allowed, query allowed
448n=`expr $n + 1`
449echo_i "test $n: zone address allowed - query allowed"
450ret=0
451$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
452grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
453grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1
454if [ $ret != 0 ]; then echo_i "failed"; fi
455status=`expr $status + $ret`
456
457# Test 45 - zone address not allowed, query refused
458n=`expr $n + 1`
459echo_i "test $n: zone address not allowed - query refused"
460ret=0
461$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
462grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
463grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
464if [ $ret != 0 ]; then echo_i "failed"; fi
465status=`expr $status + $ret`
466
467# Test 46 - zone address disallowed, query refused
468n=`expr $n + 1`
469echo_i "test $n: zone address disallowed - query refused"
470ret=0
471$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
472grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
473grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
474if [ $ret != 0 ]; then echo_i "failed"; fi
475status=`expr $status + $ret`
476
477# Test 47 - zone acl allowed, query allowed
478n=`expr $n + 1`
479echo_i "test $n: zone acl allowed - query allowed"
480ret=0
481$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
482grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
483grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1
484if [ $ret != 0 ]; then echo_i "failed"; fi
485status=`expr $status + $ret`
486
487# Test 48 - zone acl not allowed, query refused
488n=`expr $n + 1`
489echo_i "test $n: zone acl not allowed - query refused"
490ret=0
491$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
492grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
493grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
494if [ $ret != 0 ]; then echo_i "failed"; fi
495status=`expr $status + $ret`
496
497# Test 49 - zone acl disallowed, query refused
498n=`expr $n + 1`
499echo_i "test $n: zone acl disallowed - query refused"
500ret=0
501$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
502grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
503grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
504if [ $ret != 0 ]; then echo_i "failed"; fi
505status=`expr $status + $ret`
506
507# Test 50 - zone key allowed, query allowed
508n=`expr $n + 1`
509echo_i "test $n: zone key allowed - query allowed"
510ret=0
511$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
512grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
513grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
514if [ $ret != 0 ]; then echo_i "failed"; fi
515status=`expr $status + $ret`
516
517# Test 51 - zone key not allowed, query refused
518n=`expr $n + 1`
519echo_i "test $n: zone key not allowed - query refused"
520ret=0
521$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
522grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
523grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
524if [ $ret != 0 ]; then echo_i "failed"; fi
525status=`expr $status + $ret`
526
527# Test 52 - zone key disallowed, query refused
528n=`expr $n + 1`
529echo_i "test $n: zone key disallowed - query refused"
530ret=0
531$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
532grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
533grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
534if [ $ret != 0 ]; then echo_i "failed"; fi
535status=`expr $status + $ret`
536
537# Test 53 - zones over options, zones allow, query allowed
538n=`expr $n + 1`
539copy_setports ns2/named53.conf.in ns2/named.conf
540rndc_reload ns2 10.53.0.2
541
542echo_i "test $n: views over options, views allow - query allowed"
543ret=0
544$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
545grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
546grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
547if [ $ret != 0 ]; then echo_i "failed"; fi
548status=`expr $status + $ret`
549
550# Test 54 - zones over options, zones disallow, query refused
551n=`expr $n + 1`
552copy_setports ns2/named54.conf.in ns2/named.conf
553rndc_reload ns2 10.53.0.2
554
555echo_i "test $n: views over options, views disallow - query refused"
556ret=0
557$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
558grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
559grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
560if [ $ret != 0 ]; then echo_i "failed"; fi
561status=`expr $status + $ret`
562
563# Test 55 - zones over views, zones allow, query allowed
564n=`expr $n + 1`
565copy_setports ns2/named55.conf.in ns2/named.conf
566rndc_reload ns2 10.53.0.2
567
568echo_i "test $n: zones over views, views allow - query allowed"
569ret=0
570$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
571grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
572grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
573if [ $ret != 0 ]; then echo_i "failed"; fi
574status=`expr $status + $ret`
575
576# Test 56 - zones over views, zones disallow, query refused
577n=`expr $n + 1`
578copy_setports ns2/named56.conf.in ns2/named.conf
579rndc_reload ns2 10.53.0.2
580
581echo_i "test $n: zones over views, views disallow - query refused"
582ret=0
583$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
584grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
585grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
586if [ $ret != 0 ]; then echo_i "failed"; fi
587status=`expr $status + $ret`
588
589# Test 57 - zones over views, zones disallow, query refused (allow-query-on)
590n=`expr $n + 1`
591copy_setports ns2/named57.conf.in ns2/named.conf
592rndc_reload ns2 10.53.0.2
593
594echo_i "test $n: zones over views, allow-query-on"
595ret=0
596$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1
597grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
598grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1
599$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1
600grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1
601grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1
602if [ $ret != 0 ]; then echo_i "failed"; fi
603status=`expr $status + $ret`
604
605# Test 58 - allow-recursion default
606n=`expr $n + 1`
607echo_i "test $n: default allow-recursion configuration"
608ret=0
609$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n
610grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
611$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n
612grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
613if [ $ret != 0 ]; then echo_i "failed"; fi
614status=`expr $status + $ret`
615
616# Test 59 - allow-query-cache default
617n=`expr $n + 1`
618echo_i "test $n: default allow-query-cache configuration"
619ret=0
620$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n
621grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
622$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n
623grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
624if [ $ret != 0 ]; then echo_i "failed"; fi
625status=`expr $status + $ret`
626
627# Test 60 - block recursion-on, allow query-cache-on
628n=`expr $n + 1`
629copy_setports ns3/named2.conf.in ns3/named.conf
630rndc_reload ns3 10.53.0.3
631
632echo_i "test $n: block recursion-on, allow query-cache-on"
633ret=0
634# this should query the cache, and an answer should already be there
635$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
636grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1
637grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
638# this should require recursion and therefore can't get an answer
639$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n
640grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
641grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1
642if [ $ret != 0 ]; then echo_i "failed"; fi
643status=`expr $status + $ret`
644
645# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on
646n=`expr $n + 1`
647copy_setports ns3/named3.conf.in ns3/named.conf
648rndc_reload ns3 10.53.0.3
649
650echo_i "test $n: inheritance of allow-query-cache-on"
651ret=0
652# this should query the cache, an answer should already be there
653$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
654grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
655# this should be refused due to allow-recursion-on/allow-query-cache-on
656$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
657grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
658grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
659# this should require recursion and should be allowed
660$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n
661grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
662# this should require recursion and be refused
663$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n
664grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
665grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
666if [ $ret != 0 ]; then echo_i "failed"; fi
667status=`expr $status + $ret`
668
669# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on
670n=`expr $n + 1`
671copy_setports ns3/named4.conf.in ns3/named.conf
672rndc_reload ns3 10.53.0.3
673
674echo_i "test $n: inheritance of allow-recursion-on"
675ret=0
676# this should query the cache, an answer should already be there
677$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
678grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
679# this should be refused due to allow-recursion-on/allow-query-cache-on
680$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
681grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
682grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
683# this should require recursion and should be allowed
684$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n
685grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
686# this should require recursion and be refused
687$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n
688grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
689grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
690if [ $ret != 0 ]; then echo_i "failed"; fi
691status=`expr $status + $ret`
692
693echo_i "exit status: $status"
694[ $status -eq 0 ] || exit 1
695