tests.sh revision 1.1.1.4
1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12# Test of allow-query statement. 13# allow-query takes an address match list and can be included in either the 14# options statement or in the zone statement. This test assumes that the 15# acl tests cover the details of the address match list and uses a limited 16# number of address match test cases to ensure that allow-query finds the 17# expected match. 18# Test list: 19# In options: 20# default (any), any, none, [localhost, localnets], 21# allowed address, not allowed address, denied address, 22# allowed key, not allowed key, denied key 23# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 24# 25# Each of these tests requires changing to a new configuration 26# file and using rndc to update the server 27# 28# In view, with nothing in options (default to any) 29# default (any), any, none, [localhost, localnets], 30# allowed address, not allowed address, denied address, 31# allowed key, not allowed key, denied key 32# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 33# 34# In view, with options set to none, view set to any 35# In view, with options set to any, view set to none 36# 37# In zone, with nothing in options (default to any) 38# any, none, [localhost, localnets], 39# allowed address, denied address, 40# allowed key, not allowed key, denied key 41# allowed acl, not allowed acl, denied acl (acls pointing to addresses), 42# 43# In zone, with options set to none, zone set to any 44# In zone, with options set to any, zone set to none 45# In zone, with view set to none, zone set to any 46# In zone, with view set to any, zone set to none 47# 48# zone types of primary, secondary and stub can be tested in parallel by 49# using multiple instances (ns2 as primary, ns3 as secondary, ns4 as stub) 50# and querying as necessary. 51# 52 53SYSTEMTESTTOP=.. 54. $SYSTEMTESTTOP/conf.sh 55 56DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" 57 58status=0 59n=0 60 61nextpart ns2/named.run > /dev/null 62 63# Test 1 - default, query allowed 64n=`expr $n + 1` 65echo_i "test $n: default - query allowed" 66ret=0 67$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 68grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 69grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 70if [ $ret != 0 ]; then echo_i "failed"; fi 71status=`expr $status + $ret` 72 73# Test 2 - explicit any, query allowed 74n=`expr $n + 1` 75copy_setports ns2/named02.conf.in ns2/named.conf 76rndc_reload ns2 10.53.0.2 77 78echo_i "test $n: explicit any - query allowed" 79ret=0 80$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 81grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 82grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 83if [ $ret != 0 ]; then echo_i "failed"; fi 84status=`expr $status + $ret` 85 86# Test 3 - none, query refused 87n=`expr $n + 1` 88copy_setports ns2/named03.conf.in ns2/named.conf 89rndc_reload ns2 10.53.0.2 90 91echo_i "test $n: none - query refused" 92ret=0 93$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 94grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 95grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 96if [ $ret != 0 ]; then echo_i "failed"; fi 97status=`expr $status + $ret` 98 99# Test 4 - address allowed, query allowed 100n=`expr $n + 1` 101copy_setports ns2/named04.conf.in ns2/named.conf 102rndc_reload ns2 10.53.0.2 103 104echo_i "test $n: address allowed - query allowed" 105ret=0 106$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 107grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 108grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 109if [ $ret != 0 ]; then echo_i "failed"; fi 110status=`expr $status + $ret` 111 112# Test 5 - address not allowed, query refused 113n=`expr $n + 1` 114copy_setports ns2/named05.conf.in ns2/named.conf 115rndc_reload ns2 10.53.0.2 116 117echo_i "test $n: address not allowed - query refused" 118ret=0 119$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 120grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 121grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 122if [ $ret != 0 ]; then echo_i "failed"; fi 123status=`expr $status + $ret` 124 125# Test 6 - address disallowed, query refused 126n=`expr $n + 1` 127copy_setports ns2/named06.conf.in ns2/named.conf 128rndc_reload ns2 10.53.0.2 129 130echo_i "test $n: address disallowed - query refused" 131ret=0 132$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 133grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 134grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 135if [ $ret != 0 ]; then echo_i "failed"; fi 136status=`expr $status + $ret` 137 138# Test 7 - acl allowed, query allowed 139n=`expr $n + 1` 140copy_setports ns2/named07.conf.in ns2/named.conf 141rndc_reload ns2 10.53.0.2 142 143echo_i "test $n: acl allowed - query allowed" 144ret=0 145$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 146grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 147grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 148if [ $ret != 0 ]; then echo_i "failed"; fi 149status=`expr $status + $ret` 150 151# Test 8 - acl not allowed, query refused 152n=`expr $n + 1` 153copy_setports ns2/named08.conf.in ns2/named.conf 154rndc_reload ns2 10.53.0.2 155 156echo_i "test $n: acl not allowed - query refused" 157ret=0 158$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 159grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 160grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 161if [ $ret != 0 ]; then echo_i "failed"; fi 162status=`expr $status + $ret` 163 164 165# Test 9 - acl disallowed, query refused 166n=`expr $n + 1` 167copy_setports ns2/named09.conf.in ns2/named.conf 168rndc_reload ns2 10.53.0.2 169 170echo_i "test $n: acl disallowed - query refused" 171ret=0 172$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 173grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 174grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 175if [ $ret != 0 ]; then echo_i "failed"; fi 176status=`expr $status + $ret` 177 178# Test 10 - key allowed, query allowed 179n=`expr $n + 1` 180copy_setports ns2/named10.conf.in ns2/named.conf 181rndc_reload ns2 10.53.0.2 182 183echo_i "test $n: key allowed - query allowed" 184ret=0 185$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 186grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 187grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 188if [ $ret != 0 ]; then echo_i "failed"; fi 189status=`expr $status + $ret` 190 191# Test 11 - key not allowed, query refused 192n=`expr $n + 1` 193copy_setports ns2/named11.conf.in ns2/named.conf 194rndc_reload ns2 10.53.0.2 195 196echo_i "test $n: key not allowed - query refused" 197ret=0 198$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 199grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 200grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 201if [ $ret != 0 ]; then echo_i "failed"; fi 202status=`expr $status + $ret` 203 204# Test 12 - key disallowed, query refused 205n=`expr $n + 1` 206copy_setports ns2/named12.conf.in ns2/named.conf 207rndc_reload ns2 10.53.0.2 208 209echo_i "test $n: key disallowed - query refused" 210ret=0 211$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 212grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 213grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 214if [ $ret != 0 ]; then echo_i "failed"; fi 215status=`expr $status + $ret` 216 217# The next set of tests check if allow-query works in a view 218 219n=20 220# Test 21 - views default, query allowed 221n=`expr $n + 1` 222copy_setports ns2/named21.conf.in ns2/named.conf 223rndc_reload ns2 10.53.0.2 224 225echo_i "test $n: views default - query allowed" 226ret=0 227$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 228grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 229grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 230if [ $ret != 0 ]; then echo_i "failed"; fi 231status=`expr $status + $ret` 232 233# Test 22 - views explicit any, query allowed 234n=`expr $n + 1` 235copy_setports ns2/named22.conf.in ns2/named.conf 236rndc_reload ns2 10.53.0.2 237 238echo_i "test $n: views explicit any - query allowed" 239ret=0 240$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 241grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 242grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 243if [ $ret != 0 ]; then echo_i "failed"; fi 244status=`expr $status + $ret` 245 246# Test 23 - views none, query refused 247n=`expr $n + 1` 248copy_setports ns2/named23.conf.in ns2/named.conf 249rndc_reload ns2 10.53.0.2 250 251echo_i "test $n: views none - query refused" 252ret=0 253$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 254grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 255grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 256if [ $ret != 0 ]; then echo_i "failed"; fi 257status=`expr $status + $ret` 258 259# Test 24 - views address allowed, query allowed 260n=`expr $n + 1` 261copy_setports ns2/named24.conf.in ns2/named.conf 262rndc_reload ns2 10.53.0.2 263 264echo_i "test $n: views address allowed - query allowed" 265ret=0 266$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 267grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 268grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 269if [ $ret != 0 ]; then echo_i "failed"; fi 270status=`expr $status + $ret` 271 272# Test 25 - views address not allowed, query refused 273n=`expr $n + 1` 274copy_setports ns2/named25.conf.in ns2/named.conf 275rndc_reload ns2 10.53.0.2 276 277echo_i "test $n: views address not allowed - query refused" 278ret=0 279$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 280grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 281grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 282if [ $ret != 0 ]; then echo_i "failed"; fi 283status=`expr $status + $ret` 284 285# Test 26 - views address disallowed, query refused 286n=`expr $n + 1` 287copy_setports ns2/named26.conf.in ns2/named.conf 288rndc_reload ns2 10.53.0.2 289 290echo_i "test $n: views address disallowed - query refused" 291ret=0 292$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 293grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 294grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 295if [ $ret != 0 ]; then echo_i "failed"; fi 296status=`expr $status + $ret` 297 298# Test 27 - views acl allowed, query allowed 299n=`expr $n + 1` 300copy_setports ns2/named27.conf.in ns2/named.conf 301rndc_reload ns2 10.53.0.2 302 303echo_i "test $n: views acl allowed - query allowed" 304ret=0 305$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 306grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 307grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 308if [ $ret != 0 ]; then echo_i "failed"; fi 309status=`expr $status + $ret` 310 311# Test 28 - views acl not allowed, query refused 312n=`expr $n + 1` 313copy_setports ns2/named28.conf.in ns2/named.conf 314rndc_reload ns2 10.53.0.2 315 316echo_i "test $n: views acl not allowed - query refused" 317ret=0 318$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 319grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 320grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 321if [ $ret != 0 ]; then echo_i "failed"; fi 322status=`expr $status + $ret` 323 324# Test 29 - views acl disallowed, query refused 325n=`expr $n + 1` 326copy_setports ns2/named29.conf.in ns2/named.conf 327rndc_reload ns2 10.53.0.2 328 329echo_i "test $n: views acl disallowed - query refused" 330ret=0 331$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 332grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 333grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 334if [ $ret != 0 ]; then echo_i "failed"; fi 335status=`expr $status + $ret` 336 337# Test 30 - views key allowed, query allowed 338n=`expr $n + 1` 339copy_setports ns2/named30.conf.in ns2/named.conf 340rndc_reload ns2 10.53.0.2 341 342echo_i "test $n: views key allowed - query allowed" 343ret=0 344$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 345grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 346grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 347if [ $ret != 0 ]; then echo_i "failed"; fi 348status=`expr $status + $ret` 349 350# Test 31 - views key not allowed, query refused 351n=`expr $n + 1` 352copy_setports ns2/named31.conf.in ns2/named.conf 353rndc_reload ns2 10.53.0.2 354 355echo_i "test $n: views key not allowed - query refused" 356ret=0 357$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 358grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 359grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 360if [ $ret != 0 ]; then echo_i "failed"; fi 361status=`expr $status + $ret` 362 363# Test 32 - views key disallowed, query refused 364n=`expr $n + 1` 365copy_setports ns2/named32.conf.in ns2/named.conf 366rndc_reload ns2 10.53.0.2 367 368echo_i "test $n: views key disallowed - query refused" 369ret=0 370$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 371grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 372grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 373if [ $ret != 0 ]; then echo_i "failed"; fi 374status=`expr $status + $ret` 375 376# Test 33 - views over options, views allow, query allowed 377n=`expr $n + 1` 378copy_setports ns2/named33.conf.in ns2/named.conf 379rndc_reload ns2 10.53.0.2 380 381echo_i "test $n: views over options, views allow - query allowed" 382ret=0 383$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 384grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 385grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 386if [ $ret != 0 ]; then echo_i "failed"; fi 387status=`expr $status + $ret` 388 389# Test 34 - views over options, views disallow, query refused 390n=`expr $n + 1` 391copy_setports ns2/named34.conf.in ns2/named.conf 392rndc_reload ns2 10.53.0.2 393 394echo_i "test $n: views over options, views disallow - query refused" 395ret=0 396$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 397grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 398grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 399if [ $ret != 0 ]; then echo_i "failed"; fi 400status=`expr $status + $ret` 401 402# Tests for allow-query in the zone statements 403 404n=40 405 406# Test 41 - zone default, query allowed 407n=`expr $n + 1` 408copy_setports ns2/named40.conf.in ns2/named.conf 409rndc_reload ns2 10.53.0.2 410 411echo_i "test $n: zone default - query allowed" 412ret=0 413$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 414grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 415grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 416if [ $ret != 0 ]; then echo_i "failed"; fi 417status=`expr $status + $ret` 418 419# Test 42 - zone explicit any, query allowed 420n=`expr $n + 1` 421echo_i "test $n: zone explicit any - query allowed" 422ret=0 423$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 424grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 425grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 426if [ $ret != 0 ]; then echo_i "failed"; fi 427status=`expr $status + $ret` 428 429# Test 43 - zone none, query refused 430n=`expr $n + 1` 431echo_i "test $n: zone none - query refused" 432ret=0 433$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 434grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 435grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 436if [ $ret != 0 ]; then echo_i "failed"; fi 437status=`expr $status + $ret` 438 439# Test 44 - zone address allowed, query allowed 440n=`expr $n + 1` 441echo_i "test $n: zone address allowed - query allowed" 442ret=0 443$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 444grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 445grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 446if [ $ret != 0 ]; then echo_i "failed"; fi 447status=`expr $status + $ret` 448 449# Test 45 - zone address not allowed, query refused 450n=`expr $n + 1` 451echo_i "test $n: zone address not allowed - query refused" 452ret=0 453$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 454grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 455grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 456if [ $ret != 0 ]; then echo_i "failed"; fi 457status=`expr $status + $ret` 458 459# Test 46 - zone address disallowed, query refused 460n=`expr $n + 1` 461echo_i "test $n: zone address disallowed - query refused" 462ret=0 463$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 464grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 465grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 466if [ $ret != 0 ]; then echo_i "failed"; fi 467status=`expr $status + $ret` 468 469# Test 47 - zone acl allowed, query allowed 470n=`expr $n + 1` 471echo_i "test $n: zone acl allowed - query allowed" 472ret=0 473$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 474grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 475grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 476if [ $ret != 0 ]; then echo_i "failed"; fi 477status=`expr $status + $ret` 478 479# Test 48 - zone acl not allowed, query refused 480n=`expr $n + 1` 481echo_i "test $n: zone acl not allowed - query refused" 482ret=0 483$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 484grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 485grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 486if [ $ret != 0 ]; then echo_i "failed"; fi 487status=`expr $status + $ret` 488 489# Test 49 - zone acl disallowed, query refused 490n=`expr $n + 1` 491echo_i "test $n: zone acl disallowed - query refused" 492ret=0 493$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 494grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 495grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 496if [ $ret != 0 ]; then echo_i "failed"; fi 497status=`expr $status + $ret` 498 499# Test 50 - zone key allowed, query allowed 500n=`expr $n + 1` 501echo_i "test $n: zone key allowed - query allowed" 502ret=0 503$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 504grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 505grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 506if [ $ret != 0 ]; then echo_i "failed"; fi 507status=`expr $status + $ret` 508 509# Test 51 - zone key not allowed, query refused 510n=`expr $n + 1` 511echo_i "test $n: zone key not allowed - query refused" 512ret=0 513$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 514grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 515grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 516if [ $ret != 0 ]; then echo_i "failed"; fi 517status=`expr $status + $ret` 518 519# Test 52 - zone key disallowed, query refused 520n=`expr $n + 1` 521echo_i "test $n: zone key disallowed - query refused" 522ret=0 523$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 524grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 525grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 526if [ $ret != 0 ]; then echo_i "failed"; fi 527status=`expr $status + $ret` 528 529# Test 53 - zones over options, zones allow, query allowed 530n=`expr $n + 1` 531copy_setports ns2/named53.conf.in ns2/named.conf 532rndc_reload ns2 10.53.0.2 533 534echo_i "test $n: views over options, views allow - query allowed" 535ret=0 536$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 537grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 538grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 539if [ $ret != 0 ]; then echo_i "failed"; fi 540status=`expr $status + $ret` 541 542# Test 54 - zones over options, zones disallow, query refused 543n=`expr $n + 1` 544copy_setports ns2/named54.conf.in ns2/named.conf 545rndc_reload ns2 10.53.0.2 546 547echo_i "test $n: views over options, views disallow - query refused" 548ret=0 549$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 550grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 551grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 552if [ $ret != 0 ]; then echo_i "failed"; fi 553status=`expr $status + $ret` 554 555# Test 55 - zones over views, zones allow, query allowed 556n=`expr $n + 1` 557copy_setports ns2/named55.conf.in ns2/named.conf 558rndc_reload ns2 10.53.0.2 559 560echo_i "test $n: zones over views, views allow - query allowed" 561ret=0 562$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 563grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 564grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 565if [ $ret != 0 ]; then echo_i "failed"; fi 566status=`expr $status + $ret` 567 568# Test 56 - zones over views, zones disallow, query refused 569n=`expr $n + 1` 570copy_setports ns2/named56.conf.in ns2/named.conf 571rndc_reload ns2 10.53.0.2 572 573echo_i "test $n: zones over views, views disallow - query refused" 574ret=0 575$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 576grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 577grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 578if [ $ret != 0 ]; then echo_i "failed"; fi 579status=`expr $status + $ret` 580 581# Test 57 - zones over views, zones disallow, query refused (allow-query-on) 582n=`expr $n + 1` 583copy_setports ns2/named57.conf.in ns2/named.conf 584rndc_reload ns2 10.53.0.2 585 586echo_i "test $n: zones over views, allow-query-on" 587ret=0 588$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1 589grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 590grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1 591$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1 592grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1 593grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1 594if [ $ret != 0 ]; then echo_i "failed"; fi 595status=`expr $status + $ret` 596 597# Test 58 - allow-recursion default 598n=`expr $n + 1` 599echo_i "test $n: default allow-recursion configuration" 600ret=0 601$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n 602grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 603$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n 604grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 605if [ $ret != 0 ]; then echo_i "failed"; fi 606status=`expr $status + $ret` 607 608# Test 59 - allow-query-cache default 609n=`expr $n + 1` 610echo_i "test $n: default allow-query-cache configuration" 611ret=0 612$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n 613grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 614$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n 615grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 616if [ $ret != 0 ]; then echo_i "failed"; fi 617status=`expr $status + $ret` 618 619# Test 60 - block recursion-on, allow query-cache-on 620n=`expr $n + 1` 621copy_setports ns3/named2.conf.in ns3/named.conf 622rndc_reload ns3 10.53.0.3 623 624echo_i "test $n: block recursion-on, allow query-cache-on" 625ret=0 626# this should query the cache, and an answer should already be there 627$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n 628grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1 629grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 630# this should require recursion and therefore can't get an answer 631$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n 632grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 633grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1 634if [ $ret != 0 ]; then echo_i "failed"; fi 635status=`expr $status + $ret` 636 637# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on 638n=`expr $n + 1` 639copy_setports ns3/named3.conf.in ns3/named.conf 640rndc_reload ns3 10.53.0.3 641 642echo_i "test $n: inheritance of allow-query-cache-on" 643ret=0 644# this should query the cache, an answer should already be there 645$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n 646grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 647# this should be refused due to allow-recursion-on/allow-query-cache-on 648$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n 649grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 650grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 651# this should require recursion and should be allowed 652$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n 653grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 654# this should require recursion and be refused 655$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n 656grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 657grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 658if [ $ret != 0 ]; then echo_i "failed"; fi 659status=`expr $status + $ret` 660 661# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on 662n=`expr $n + 1` 663copy_setports ns3/named4.conf.in ns3/named.conf 664rndc_reload ns3 10.53.0.3 665 666echo_i "test $n: inheritance of allow-recursion-on" 667ret=0 668# this should query the cache, an answer should already be there 669$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n 670grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 671# this should be refused due to allow-recursion-on/allow-query-cache-on 672$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n 673grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 674grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 675# this should require recursion and should be allowed 676$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n 677grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 678# this should require recursion and be refused 679$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n 680grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 681grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 682if [ $ret != 0 ]; then echo_i "failed"; fi 683status=`expr $status + $ret` 684 685echo_i "exit status: $status" 686[ $status -eq 0 ] || exit 1 687