tests.sh revision 1.1.1.2
1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, You can obtain one at http://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12# Test of allow-query statement. 13# allow-query takes an address match list and can be included in either the 14# options statement or in the zone statement. This test assumes that the 15# acl tests cover the details of the address match list and uses a limited 16# number of address match test cases to ensure that allow-query finds the 17# expected match. 18# Test list: 19# In options: 20# default (any), any, none, [localhost, localnets], 21# allowed address, not allowed address, denied address, 22# allowed key, not allowed key, denied key 23# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 24# 25# Each of these tests requires changing to a new configuration 26# file and using rndc to update the server 27# 28# In view, with nothing in options (default to any) 29# default (any), any, none, [localhost, localnets], 30# allowed address, not allowed address, denied address, 31# allowed key, not allowed key, denied key 32# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 33# 34# In view, with options set to none, view set to any 35# In view, with options set to any, view set to none 36# 37# In zone, with nothing in options (default to any) 38# any, none, [localhost, localnets], 39# allowed address, denied address, 40# allowed key, not allowed key, denied key 41# allowed acl, not allowed acl, denied acl (acls pointing to addresses), 42# 43# In zone, with options set to none, zone set to any 44# In zone, with options set to any, zone set to none 45# In zone, with view set to none, zone set to any 46# In zone, with view set to any, zone set to none 47# 48# zone types of master, slave and stub can be tested in parallel by using 49# multiple instances (ns2 as master, ns3 as slave, ns4 as stub) and querying 50# as necessary. 51# 52 53SYSTEMTESTTOP=.. 54. $SYSTEMTESTTOP/conf.sh 55 56DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" 57 58rndc_reload() { 59 echo_i "`$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload 2>&1 | sed 's/^/'$1' /'`" 60 for try in 0 1 2 3 4 5 6 7 8 9; do 61 nextpart $1/named.run | grep "reloading configuration succeeded" > /dev/null && break 62 sleep 1 63 done 64} 65 66status=0 67n=0 68 69nextpart ns2/named.run > /dev/null 70 71# Test 1 - default, query allowed 72n=`expr $n + 1` 73echo_i "test $n: default - query allowed" 74ret=0 75$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 76grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 77grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 78if [ $ret != 0 ]; then echo_i "failed"; fi 79status=`expr $status + $ret` 80 81# Test 2 - explicit any, query allowed 82n=`expr $n + 1` 83copy_setports ns2/named02.conf.in ns2/named.conf 84rndc_reload ns2 10.53.0.2 85 86echo_i "test $n: explicit any - query allowed" 87ret=0 88$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 89grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 90grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 91if [ $ret != 0 ]; then echo_i "failed"; fi 92status=`expr $status + $ret` 93 94# Test 3 - none, query refused 95n=`expr $n + 1` 96copy_setports ns2/named03.conf.in ns2/named.conf 97rndc_reload ns2 10.53.0.2 98 99echo_i "test $n: none - query refused" 100ret=0 101$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 102grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 103grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 104if [ $ret != 0 ]; then echo_i "failed"; fi 105status=`expr $status + $ret` 106 107# Test 4 - address allowed, query allowed 108n=`expr $n + 1` 109copy_setports ns2/named04.conf.in ns2/named.conf 110rndc_reload ns2 10.53.0.2 111 112echo_i "test $n: address allowed - query allowed" 113ret=0 114$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 115grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 116grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 117if [ $ret != 0 ]; then echo_i "failed"; fi 118status=`expr $status + $ret` 119 120# Test 5 - address not allowed, query refused 121n=`expr $n + 1` 122copy_setports ns2/named05.conf.in ns2/named.conf 123rndc_reload ns2 10.53.0.2 124 125echo_i "test $n: address not allowed - query refused" 126ret=0 127$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 128grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 129grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 130if [ $ret != 0 ]; then echo_i "failed"; fi 131status=`expr $status + $ret` 132 133# Test 6 - address disallowed, query refused 134n=`expr $n + 1` 135copy_setports ns2/named06.conf.in ns2/named.conf 136rndc_reload ns2 10.53.0.2 137 138echo_i "test $n: address disallowed - query refused" 139ret=0 140$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 141grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 142grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 143if [ $ret != 0 ]; then echo_i "failed"; fi 144status=`expr $status + $ret` 145 146# Test 7 - acl allowed, query allowed 147n=`expr $n + 1` 148copy_setports ns2/named07.conf.in ns2/named.conf 149rndc_reload ns2 10.53.0.2 150 151echo_i "test $n: acl allowed - query allowed" 152ret=0 153$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 154grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 155grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 156if [ $ret != 0 ]; then echo_i "failed"; fi 157status=`expr $status + $ret` 158 159# Test 8 - acl not allowed, query refused 160n=`expr $n + 1` 161copy_setports ns2/named08.conf.in ns2/named.conf 162rndc_reload ns2 10.53.0.2 163 164echo_i "test $n: acl not allowed - query refused" 165ret=0 166$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 167grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 168grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 169if [ $ret != 0 ]; then echo_i "failed"; fi 170status=`expr $status + $ret` 171 172 173# Test 9 - acl disallowed, query refused 174n=`expr $n + 1` 175copy_setports ns2/named09.conf.in ns2/named.conf 176rndc_reload ns2 10.53.0.2 177 178echo_i "test $n: acl disallowed - query refused" 179ret=0 180$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 181grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 182grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 183if [ $ret != 0 ]; then echo_i "failed"; fi 184status=`expr $status + $ret` 185 186# Test 10 - key allowed, query allowed 187n=`expr $n + 1` 188copy_setports ns2/named10.conf.in ns2/named.conf 189rndc_reload ns2 10.53.0.2 190 191echo_i "test $n: key allowed - query allowed" 192ret=0 193$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 194grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 195grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 196if [ $ret != 0 ]; then echo_i "failed"; fi 197status=`expr $status + $ret` 198 199# Test 11 - key not allowed, query refused 200n=`expr $n + 1` 201copy_setports ns2/named11.conf.in ns2/named.conf 202rndc_reload ns2 10.53.0.2 203 204echo_i "test $n: key not allowed - query refused" 205ret=0 206$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 207grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 208grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 209if [ $ret != 0 ]; then echo_i "failed"; fi 210status=`expr $status + $ret` 211 212# Test 12 - key disallowed, query refused 213n=`expr $n + 1` 214copy_setports ns2/named12.conf.in ns2/named.conf 215rndc_reload ns2 10.53.0.2 216 217echo_i "test $n: key disallowed - query refused" 218ret=0 219$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 220grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 221grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 222if [ $ret != 0 ]; then echo_i "failed"; fi 223status=`expr $status + $ret` 224 225# The next set of tests check if allow-query works in a view 226 227n=20 228# Test 21 - views default, query allowed 229n=`expr $n + 1` 230copy_setports ns2/named21.conf.in ns2/named.conf 231rndc_reload ns2 10.53.0.2 232 233echo_i "test $n: views default - query allowed" 234ret=0 235$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 236grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 237grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 238if [ $ret != 0 ]; then echo_i "failed"; fi 239status=`expr $status + $ret` 240 241# Test 22 - views explicit any, query allowed 242n=`expr $n + 1` 243copy_setports ns2/named22.conf.in ns2/named.conf 244rndc_reload ns2 10.53.0.2 245 246echo_i "test $n: views explicit any - query allowed" 247ret=0 248$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 249grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 250grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 251if [ $ret != 0 ]; then echo_i "failed"; fi 252status=`expr $status + $ret` 253 254# Test 23 - views none, query refused 255n=`expr $n + 1` 256copy_setports ns2/named23.conf.in ns2/named.conf 257rndc_reload ns2 10.53.0.2 258 259echo_i "test $n: views none - query refused" 260ret=0 261$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 262grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 263grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 264if [ $ret != 0 ]; then echo_i "failed"; fi 265status=`expr $status + $ret` 266 267# Test 24 - views address allowed, query allowed 268n=`expr $n + 1` 269copy_setports ns2/named24.conf.in ns2/named.conf 270rndc_reload ns2 10.53.0.2 271 272echo_i "test $n: views address allowed - query allowed" 273ret=0 274$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 275grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 276grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 277if [ $ret != 0 ]; then echo_i "failed"; fi 278status=`expr $status + $ret` 279 280# Test 25 - views address not allowed, query refused 281n=`expr $n + 1` 282copy_setports ns2/named25.conf.in ns2/named.conf 283rndc_reload ns2 10.53.0.2 284 285echo_i "test $n: views address not allowed - query refused" 286ret=0 287$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 288grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 289grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 290if [ $ret != 0 ]; then echo_i "failed"; fi 291status=`expr $status + $ret` 292 293# Test 26 - views address disallowed, query refused 294n=`expr $n + 1` 295copy_setports ns2/named26.conf.in ns2/named.conf 296rndc_reload ns2 10.53.0.2 297 298echo_i "test $n: views address disallowed - query refused" 299ret=0 300$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 301grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 302grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 303if [ $ret != 0 ]; then echo_i "failed"; fi 304status=`expr $status + $ret` 305 306# Test 27 - views acl allowed, query allowed 307n=`expr $n + 1` 308copy_setports ns2/named27.conf.in ns2/named.conf 309rndc_reload ns2 10.53.0.2 310 311echo_i "test $n: views acl allowed - query allowed" 312ret=0 313$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 314grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 315grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 316if [ $ret != 0 ]; then echo_i "failed"; fi 317status=`expr $status + $ret` 318 319# Test 28 - views acl not allowed, query refused 320n=`expr $n + 1` 321copy_setports ns2/named28.conf.in ns2/named.conf 322rndc_reload ns2 10.53.0.2 323 324echo_i "test $n: views acl not allowed - query refused" 325ret=0 326$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 327grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 328grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 329if [ $ret != 0 ]; then echo_i "failed"; fi 330status=`expr $status + $ret` 331 332# Test 29 - views acl disallowed, query refused 333n=`expr $n + 1` 334copy_setports ns2/named29.conf.in ns2/named.conf 335rndc_reload ns2 10.53.0.2 336 337echo_i "test $n: views acl disallowed - query refused" 338ret=0 339$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 340grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 341grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 342if [ $ret != 0 ]; then echo_i "failed"; fi 343status=`expr $status + $ret` 344 345# Test 30 - views key allowed, query allowed 346n=`expr $n + 1` 347copy_setports ns2/named30.conf.in ns2/named.conf 348rndc_reload ns2 10.53.0.2 349 350echo_i "test $n: views key allowed - query allowed" 351ret=0 352$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 353grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 354grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 355if [ $ret != 0 ]; then echo_i "failed"; fi 356status=`expr $status + $ret` 357 358# Test 31 - views key not allowed, query refused 359n=`expr $n + 1` 360copy_setports ns2/named31.conf.in ns2/named.conf 361rndc_reload ns2 10.53.0.2 362 363echo_i "test $n: views key not allowed - query refused" 364ret=0 365$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 366grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 367grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 368if [ $ret != 0 ]; then echo_i "failed"; fi 369status=`expr $status + $ret` 370 371# Test 32 - views key disallowed, query refused 372n=`expr $n + 1` 373copy_setports ns2/named32.conf.in ns2/named.conf 374rndc_reload ns2 10.53.0.2 375 376echo_i "test $n: views key disallowed - query refused" 377ret=0 378$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 379grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 380grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 381if [ $ret != 0 ]; then echo_i "failed"; fi 382status=`expr $status + $ret` 383 384# Test 33 - views over options, views allow, query allowed 385n=`expr $n + 1` 386copy_setports ns2/named33.conf.in ns2/named.conf 387rndc_reload ns2 10.53.0.2 388 389echo_i "test $n: views over options, views allow - query allowed" 390ret=0 391$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 392grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 393grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 394if [ $ret != 0 ]; then echo_i "failed"; fi 395status=`expr $status + $ret` 396 397# Test 34 - views over options, views disallow, query refused 398n=`expr $n + 1` 399copy_setports ns2/named34.conf.in ns2/named.conf 400rndc_reload ns2 10.53.0.2 401 402echo_i "test $n: views over options, views disallow - query refused" 403ret=0 404$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 405grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 406grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 407if [ $ret != 0 ]; then echo_i "failed"; fi 408status=`expr $status + $ret` 409 410# Tests for allow-query in the zone statements 411 412n=40 413 414# Test 41 - zone default, query allowed 415n=`expr $n + 1` 416copy_setports ns2/named40.conf.in ns2/named.conf 417rndc_reload ns2 10.53.0.2 418 419echo_i "test $n: zone default - query allowed" 420ret=0 421$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 422grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 423grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 424if [ $ret != 0 ]; then echo_i "failed"; fi 425status=`expr $status + $ret` 426 427# Test 42 - zone explicit any, query allowed 428n=`expr $n + 1` 429echo_i "test $n: zone explicit any - query allowed" 430ret=0 431$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 432grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 433grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 434if [ $ret != 0 ]; then echo_i "failed"; fi 435status=`expr $status + $ret` 436 437# Test 43 - zone none, query refused 438n=`expr $n + 1` 439echo_i "test $n: zone none - query refused" 440ret=0 441$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 442grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 443grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 444if [ $ret != 0 ]; then echo_i "failed"; fi 445status=`expr $status + $ret` 446 447# Test 44 - zone address allowed, query allowed 448n=`expr $n + 1` 449echo_i "test $n: zone address allowed - query allowed" 450ret=0 451$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 452grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 453grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 454if [ $ret != 0 ]; then echo_i "failed"; fi 455status=`expr $status + $ret` 456 457# Test 45 - zone address not allowed, query refused 458n=`expr $n + 1` 459echo_i "test $n: zone address not allowed - query refused" 460ret=0 461$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 462grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 463grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 464if [ $ret != 0 ]; then echo_i "failed"; fi 465status=`expr $status + $ret` 466 467# Test 46 - zone address disallowed, query refused 468n=`expr $n + 1` 469echo_i "test $n: zone address disallowed - query refused" 470ret=0 471$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 472grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 473grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 474if [ $ret != 0 ]; then echo_i "failed"; fi 475status=`expr $status + $ret` 476 477# Test 47 - zone acl allowed, query allowed 478n=`expr $n + 1` 479echo_i "test $n: zone acl allowed - query allowed" 480ret=0 481$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 482grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 483grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 484if [ $ret != 0 ]; then echo_i "failed"; fi 485status=`expr $status + $ret` 486 487# Test 48 - zone acl not allowed, query refused 488n=`expr $n + 1` 489echo_i "test $n: zone acl not allowed - query refused" 490ret=0 491$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 492grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 493grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 494if [ $ret != 0 ]; then echo_i "failed"; fi 495status=`expr $status + $ret` 496 497# Test 49 - zone acl disallowed, query refused 498n=`expr $n + 1` 499echo_i "test $n: zone acl disallowed - query refused" 500ret=0 501$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 502grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 503grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 504if [ $ret != 0 ]; then echo_i "failed"; fi 505status=`expr $status + $ret` 506 507# Test 50 - zone key allowed, query allowed 508n=`expr $n + 1` 509echo_i "test $n: zone key allowed - query allowed" 510ret=0 511$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 512grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 513grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 514if [ $ret != 0 ]; then echo_i "failed"; fi 515status=`expr $status + $ret` 516 517# Test 51 - zone key not allowed, query refused 518n=`expr $n + 1` 519echo_i "test $n: zone key not allowed - query refused" 520ret=0 521$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 522grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 523grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 524if [ $ret != 0 ]; then echo_i "failed"; fi 525status=`expr $status + $ret` 526 527# Test 52 - zone key disallowed, query refused 528n=`expr $n + 1` 529echo_i "test $n: zone key disallowed - query refused" 530ret=0 531$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 532grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 533grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 534if [ $ret != 0 ]; then echo_i "failed"; fi 535status=`expr $status + $ret` 536 537# Test 53 - zones over options, zones allow, query allowed 538n=`expr $n + 1` 539copy_setports ns2/named53.conf.in ns2/named.conf 540rndc_reload ns2 10.53.0.2 541 542echo_i "test $n: views over options, views allow - query allowed" 543ret=0 544$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 545grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 546grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 547if [ $ret != 0 ]; then echo_i "failed"; fi 548status=`expr $status + $ret` 549 550# Test 54 - zones over options, zones disallow, query refused 551n=`expr $n + 1` 552copy_setports ns2/named54.conf.in ns2/named.conf 553rndc_reload ns2 10.53.0.2 554 555echo_i "test $n: views over options, views disallow - query refused" 556ret=0 557$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 558grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 559grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 560if [ $ret != 0 ]; then echo_i "failed"; fi 561status=`expr $status + $ret` 562 563# Test 55 - zones over views, zones allow, query allowed 564n=`expr $n + 1` 565copy_setports ns2/named55.conf.in ns2/named.conf 566rndc_reload ns2 10.53.0.2 567 568echo_i "test $n: zones over views, views allow - query allowed" 569ret=0 570$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 571grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 572grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 573if [ $ret != 0 ]; then echo_i "failed"; fi 574status=`expr $status + $ret` 575 576# Test 56 - zones over views, zones disallow, query refused 577n=`expr $n + 1` 578copy_setports ns2/named56.conf.in ns2/named.conf 579rndc_reload ns2 10.53.0.2 580 581echo_i "test $n: zones over views, views disallow - query refused" 582ret=0 583$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 584grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 585grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 586if [ $ret != 0 ]; then echo_i "failed"; fi 587status=`expr $status + $ret` 588 589# Test 57 - zones over views, zones disallow, query refused (allow-query-on) 590n=`expr $n + 1` 591copy_setports ns2/named57.conf.in ns2/named.conf 592rndc_reload ns2 10.53.0.2 593 594echo_i "test $n: zones over views, allow-query-on" 595ret=0 596$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1 597grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 598grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1 599$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1 600grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1 601grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1 602if [ $ret != 0 ]; then echo_i "failed"; fi 603status=`expr $status + $ret` 604 605# Test 58 - allow-recursion default 606n=`expr $n + 1` 607echo_i "test $n: default allow-recursion configuration" 608ret=0 609$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n 610grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 611$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n 612grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 613if [ $ret != 0 ]; then echo_i "failed"; fi 614status=`expr $status + $ret` 615 616# Test 59 - allow-query-cache default 617n=`expr $n + 1` 618echo_i "test $n: default allow-query-cache configuration" 619ret=0 620$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n 621grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 622$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n 623grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 624if [ $ret != 0 ]; then echo_i "failed"; fi 625status=`expr $status + $ret` 626 627# Test 60 - block recursion-on, allow query-cache-on 628n=`expr $n + 1` 629copy_setports ns3/named2.conf.in ns3/named.conf 630rndc_reload ns3 10.53.0.3 631 632echo_i "test $n: block recursion-on, allow query-cache-on" 633ret=0 634# this should query the cache, and an answer should already be there 635$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n 636grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1 637grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 638# this should require recursion and therefore can't get an answer 639$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n 640grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 641grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1 642if [ $ret != 0 ]; then echo_i "failed"; fi 643status=`expr $status + $ret` 644 645# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on 646n=`expr $n + 1` 647copy_setports ns3/named3.conf.in ns3/named.conf 648rndc_reload ns3 10.53.0.3 649 650echo_i "test $n: inheritance of allow-query-cache-on" 651ret=0 652# this should query the cache, an answer should already be there 653$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n 654grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 655# this should be refused due to allow-recursion-on/allow-query-cache-on 656$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n 657grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 658grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 659# this should require recursion and should be allowed 660$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n 661grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 662# this should require recursion and be refused 663$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n 664grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 665grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 666if [ $ret != 0 ]; then echo_i "failed"; fi 667status=`expr $status + $ret` 668 669# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on 670n=`expr $n + 1` 671copy_setports ns3/named4.conf.in ns3/named.conf 672rndc_reload ns3 10.53.0.3 673 674echo_i "test $n: inheritance of allow-recursion-on" 675ret=0 676# this should query the cache, an answer should already be there 677$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n 678grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 679# this should be refused due to allow-recursion-on/allow-query-cache-on 680$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n 681grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 682grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 683# this should require recursion and should be allowed 684$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n 685grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 686# this should require recursion and be refused 687$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n 688grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 689grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 690if [ $ret != 0 ]; then echo_i "failed"; fi 691status=`expr $status + $ret` 692 693echo_i "exit status: $status" 694[ $status -eq 0 ] || exit 1 695