tests.sh revision 1.1.1.4 
1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12# Test of allow-query statement.
13# allow-query takes an address match list and can be included in either the
14# options statement or in the zone statement.  This test assumes that the
15# acl tests cover the details of the address match list and uses a limited
16# number of address match test cases to ensure that allow-query finds the
17# expected match.
18# Test list:
19# In options:
20# default (any), any, none, [localhost, localnets],
21# allowed address, not allowed address, denied address,
22# allowed key, not allowed key, denied key
23# allowed acl, not allowed acl, denied acl (acls pointing to addresses)
24#
25# Each of these tests requires changing to a new configuration
26# file and using rndc to update the server
27#
28# In view, with nothing in options (default to any)
29# default (any), any, none, [localhost, localnets],
30# allowed address, not allowed address, denied address,
31# allowed key, not allowed key, denied key
32# allowed acl, not allowed acl, denied acl (acls pointing to addresses)
33#
34# In view, with options set to none, view set to any
35# In view, with options set to any, view set to none
36#
37# In zone, with nothing in options (default to any)
38# any, none, [localhost, localnets],
39# allowed address, denied address,
40# allowed key, not allowed key, denied key
41# allowed acl, not allowed acl, denied acl (acls pointing to addresses),
42#
43# In zone, with options set to none, zone set to any
44# In zone, with options set to any, zone set to none
45# In zone, with view set to none, zone set to any
46# In zone, with view set to any, zone set to none
47#
48# zone types of primary, secondary and stub can be tested in parallel by
49# using multiple instances (ns2 as primary, ns3 as secondary, ns4 as stub)
50# and querying as necessary.
51#
52
53SYSTEMTESTTOP=..
54. $SYSTEMTESTTOP/conf.sh
55
56DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}"
57
58status=0
59n=0
60
61nextpart ns2/named.run > /dev/null
62
63# Test 1 - default, query allowed
64n=`expr $n + 1`
65echo_i "test $n: default - query allowed"
66ret=0
67$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
68grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
69grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
70if [ $ret != 0 ]; then echo_i "failed"; fi
71status=`expr $status + $ret`
72
73# Test 2 - explicit any, query allowed
74n=`expr $n + 1`
75copy_setports ns2/named02.conf.in ns2/named.conf
76rndc_reload ns2 10.53.0.2
77
78echo_i "test $n: explicit any - query allowed"
79ret=0
80$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
81grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
82grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
83if [ $ret != 0 ]; then echo_i "failed"; fi
84status=`expr $status + $ret`
85
86# Test 3 - none, query refused
87n=`expr $n + 1`
88copy_setports ns2/named03.conf.in ns2/named.conf
89rndc_reload ns2 10.53.0.2
90
91echo_i "test $n: none - query refused"
92ret=0
93$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
94grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
95grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
96if [ $ret != 0 ]; then echo_i "failed"; fi
97status=`expr $status + $ret`
98
99# Test 4 - address allowed, query allowed
100n=`expr $n + 1`
101copy_setports ns2/named04.conf.in ns2/named.conf
102rndc_reload ns2 10.53.0.2
103
104echo_i "test $n: address allowed - query allowed"
105ret=0
106$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
107grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
108grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
109if [ $ret != 0 ]; then echo_i "failed"; fi
110status=`expr $status + $ret`
111
112# Test 5 - address not allowed, query refused
113n=`expr $n + 1`
114copy_setports ns2/named05.conf.in ns2/named.conf
115rndc_reload ns2 10.53.0.2
116
117echo_i "test $n: address not allowed - query refused"
118ret=0
119$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
120grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
121grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
122if [ $ret != 0 ]; then echo_i "failed"; fi
123status=`expr $status + $ret`
124
125# Test 6 - address disallowed, query refused
126n=`expr $n + 1`
127copy_setports ns2/named06.conf.in ns2/named.conf
128rndc_reload ns2 10.53.0.2
129
130echo_i "test $n: address disallowed - query refused"
131ret=0
132$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
133grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
134grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
135if [ $ret != 0 ]; then echo_i "failed"; fi
136status=`expr $status + $ret`
137
138# Test 7 - acl allowed, query allowed
139n=`expr $n + 1`
140copy_setports ns2/named07.conf.in ns2/named.conf
141rndc_reload ns2 10.53.0.2
142
143echo_i "test $n: acl allowed - query allowed"
144ret=0
145$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
146grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
147grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
148if [ $ret != 0 ]; then echo_i "failed"; fi
149status=`expr $status + $ret`
150
151# Test 8 - acl not allowed, query refused
152n=`expr $n + 1`
153copy_setports ns2/named08.conf.in ns2/named.conf
154rndc_reload ns2 10.53.0.2
155
156echo_i "test $n: acl not allowed - query refused"
157ret=0
158$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
159grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
160grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
161if [ $ret != 0 ]; then echo_i "failed"; fi
162status=`expr $status + $ret`
163
164
165# Test 9 - acl disallowed, query refused
166n=`expr $n + 1`
167copy_setports ns2/named09.conf.in ns2/named.conf
168rndc_reload ns2 10.53.0.2
169
170echo_i "test $n: acl disallowed - query refused"
171ret=0
172$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
173grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
174grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
175if [ $ret != 0 ]; then echo_i "failed"; fi
176status=`expr $status + $ret`
177
178# Test 10 - key allowed, query allowed
179n=`expr $n + 1`
180copy_setports ns2/named10.conf.in ns2/named.conf
181rndc_reload ns2 10.53.0.2
182
183echo_i "test $n: key allowed - query allowed"
184ret=0
185$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
186grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
187grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
188if [ $ret != 0 ]; then echo_i "failed"; fi
189status=`expr $status + $ret`
190
191# Test 11 - key not allowed, query refused
192n=`expr $n + 1`
193copy_setports ns2/named11.conf.in ns2/named.conf
194rndc_reload ns2 10.53.0.2
195
196echo_i "test $n: key not allowed - query refused"
197ret=0
198$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
199grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
200grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
201if [ $ret != 0 ]; then echo_i "failed"; fi
202status=`expr $status + $ret`
203
204# Test 12 - key disallowed, query refused
205n=`expr $n + 1`
206copy_setports ns2/named12.conf.in ns2/named.conf
207rndc_reload ns2 10.53.0.2
208
209echo_i "test $n: key disallowed - query refused"
210ret=0
211$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
212grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
213grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
214if [ $ret != 0 ]; then echo_i "failed"; fi
215status=`expr $status + $ret`
216
217# The next set of tests check if allow-query works in a view
218
219n=20
220# Test 21 - views default, query allowed
221n=`expr $n + 1`
222copy_setports ns2/named21.conf.in ns2/named.conf
223rndc_reload ns2 10.53.0.2
224
225echo_i "test $n: views default - query allowed"
226ret=0
227$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
228grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
229grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
230if [ $ret != 0 ]; then echo_i "failed"; fi
231status=`expr $status + $ret`
232
233# Test 22 - views explicit any, query allowed
234n=`expr $n + 1`
235copy_setports ns2/named22.conf.in ns2/named.conf
236rndc_reload ns2 10.53.0.2
237
238echo_i "test $n: views explicit any - query allowed"
239ret=0
240$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
241grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
242grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
243if [ $ret != 0 ]; then echo_i "failed"; fi
244status=`expr $status + $ret`
245
246# Test 23 - views none, query refused
247n=`expr $n + 1`
248copy_setports ns2/named23.conf.in ns2/named.conf
249rndc_reload ns2 10.53.0.2
250
251echo_i "test $n: views none - query refused"
252ret=0
253$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
254grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
255grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
256if [ $ret != 0 ]; then echo_i "failed"; fi
257status=`expr $status + $ret`
258
259# Test 24 - views address allowed, query allowed
260n=`expr $n + 1`
261copy_setports ns2/named24.conf.in ns2/named.conf
262rndc_reload ns2 10.53.0.2
263
264echo_i "test $n: views address allowed - query allowed"
265ret=0
266$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
267grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
268grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
269if [ $ret != 0 ]; then echo_i "failed"; fi
270status=`expr $status + $ret`
271
272# Test 25 - views address not allowed, query refused
273n=`expr $n + 1`
274copy_setports ns2/named25.conf.in ns2/named.conf
275rndc_reload ns2 10.53.0.2
276
277echo_i "test $n: views address not allowed - query refused"
278ret=0
279$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
280grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
281grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
282if [ $ret != 0 ]; then echo_i "failed"; fi
283status=`expr $status + $ret`
284
285# Test 26 - views address disallowed, query refused
286n=`expr $n + 1`
287copy_setports ns2/named26.conf.in ns2/named.conf
288rndc_reload ns2 10.53.0.2
289
290echo_i "test $n: views address disallowed - query refused"
291ret=0
292$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
293grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
294grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
295if [ $ret != 0 ]; then echo_i "failed"; fi
296status=`expr $status + $ret`
297
298# Test 27 - views acl allowed, query allowed
299n=`expr $n + 1`
300copy_setports ns2/named27.conf.in ns2/named.conf
301rndc_reload ns2 10.53.0.2
302
303echo_i "test $n: views acl allowed - query allowed"
304ret=0
305$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
306grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
307grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
308if [ $ret != 0 ]; then echo_i "failed"; fi
309status=`expr $status + $ret`
310
311# Test 28 - views acl not allowed, query refused
312n=`expr $n + 1`
313copy_setports ns2/named28.conf.in ns2/named.conf
314rndc_reload ns2 10.53.0.2
315
316echo_i "test $n: views acl not allowed - query refused"
317ret=0
318$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
319grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
320grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
321if [ $ret != 0 ]; then echo_i "failed"; fi
322status=`expr $status + $ret`
323
324# Test 29 - views acl disallowed, query refused
325n=`expr $n + 1`
326copy_setports ns2/named29.conf.in ns2/named.conf
327rndc_reload ns2 10.53.0.2
328
329echo_i "test $n: views acl disallowed - query refused"
330ret=0
331$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
332grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
333grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
334if [ $ret != 0 ]; then echo_i "failed"; fi
335status=`expr $status + $ret`
336
337# Test 30 - views key allowed, query allowed
338n=`expr $n + 1`
339copy_setports ns2/named30.conf.in ns2/named.conf
340rndc_reload ns2 10.53.0.2
341
342echo_i "test $n: views key allowed - query allowed"
343ret=0
344$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
345grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
346grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
347if [ $ret != 0 ]; then echo_i "failed"; fi
348status=`expr $status + $ret`
349
350# Test 31 - views key not allowed, query refused
351n=`expr $n + 1`
352copy_setports ns2/named31.conf.in ns2/named.conf
353rndc_reload ns2 10.53.0.2
354
355echo_i "test $n: views key not allowed - query refused"
356ret=0
357$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
358grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
359grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
360if [ $ret != 0 ]; then echo_i "failed"; fi
361status=`expr $status + $ret`
362
363# Test 32 - views key disallowed, query refused
364n=`expr $n + 1`
365copy_setports ns2/named32.conf.in ns2/named.conf
366rndc_reload ns2 10.53.0.2
367
368echo_i "test $n: views key disallowed - query refused"
369ret=0
370$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
371grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
372grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
373if [ $ret != 0 ]; then echo_i "failed"; fi
374status=`expr $status + $ret`
375
376# Test 33 - views over options, views allow, query allowed
377n=`expr $n + 1`
378copy_setports ns2/named33.conf.in ns2/named.conf
379rndc_reload ns2 10.53.0.2
380
381echo_i "test $n: views over options, views allow - query allowed"
382ret=0
383$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
384grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
385grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
386if [ $ret != 0 ]; then echo_i "failed"; fi
387status=`expr $status + $ret`
388
389# Test 34 - views over options, views disallow, query refused
390n=`expr $n + 1`
391copy_setports ns2/named34.conf.in ns2/named.conf
392rndc_reload ns2 10.53.0.2
393
394echo_i "test $n: views over options, views disallow - query refused"
395ret=0
396$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
397grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
398grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
399if [ $ret != 0 ]; then echo_i "failed"; fi
400status=`expr $status + $ret`
401
402# Tests for allow-query in the zone statements
403
404n=40
405
406# Test 41 - zone default, query allowed
407n=`expr $n + 1`
408copy_setports ns2/named40.conf.in ns2/named.conf
409rndc_reload ns2 10.53.0.2
410
411echo_i "test $n: zone default - query allowed"
412ret=0
413$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
414grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
415grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
416if [ $ret != 0 ]; then echo_i "failed"; fi
417status=`expr $status + $ret`
418
419# Test 42 - zone explicit any, query allowed
420n=`expr $n + 1`
421echo_i "test $n: zone explicit any - query allowed"
422ret=0
423$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
424grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
425grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1
426if [ $ret != 0 ]; then echo_i "failed"; fi
427status=`expr $status + $ret`
428
429# Test 43 - zone none, query refused
430n=`expr $n + 1`
431echo_i "test $n: zone none - query refused"
432ret=0
433$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
434grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
435grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
436if [ $ret != 0 ]; then echo_i "failed"; fi
437status=`expr $status + $ret`
438
439# Test 44 - zone address allowed, query allowed
440n=`expr $n + 1`
441echo_i "test $n: zone address allowed - query allowed"
442ret=0
443$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
444grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
445grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1
446if [ $ret != 0 ]; then echo_i "failed"; fi
447status=`expr $status + $ret`
448
449# Test 45 - zone address not allowed, query refused
450n=`expr $n + 1`
451echo_i "test $n: zone address not allowed - query refused"
452ret=0
453$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
454grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
455grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
456if [ $ret != 0 ]; then echo_i "failed"; fi
457status=`expr $status + $ret`
458
459# Test 46 - zone address disallowed, query refused
460n=`expr $n + 1`
461echo_i "test $n: zone address disallowed - query refused"
462ret=0
463$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
464grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
465grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
466if [ $ret != 0 ]; then echo_i "failed"; fi
467status=`expr $status + $ret`
468
469# Test 47 - zone acl allowed, query allowed
470n=`expr $n + 1`
471echo_i "test $n: zone acl allowed - query allowed"
472ret=0
473$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
474grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
475grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1
476if [ $ret != 0 ]; then echo_i "failed"; fi
477status=`expr $status + $ret`
478
479# Test 48 - zone acl not allowed, query refused
480n=`expr $n + 1`
481echo_i "test $n: zone acl not allowed - query refused"
482ret=0
483$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
484grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
485grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
486if [ $ret != 0 ]; then echo_i "failed"; fi
487status=`expr $status + $ret`
488
489# Test 49 - zone acl disallowed, query refused
490n=`expr $n + 1`
491echo_i "test $n: zone acl disallowed - query refused"
492ret=0
493$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
494grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
495grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
496if [ $ret != 0 ]; then echo_i "failed"; fi
497status=`expr $status + $ret`
498
499# Test 50 - zone key allowed, query allowed
500n=`expr $n + 1`
501echo_i "test $n: zone key allowed - query allowed"
502ret=0
503$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
504grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
505grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
506if [ $ret != 0 ]; then echo_i "failed"; fi
507status=`expr $status + $ret`
508
509# Test 51 - zone key not allowed, query refused
510n=`expr $n + 1`
511echo_i "test $n: zone key not allowed - query refused"
512ret=0
513$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
514grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
515grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
516if [ $ret != 0 ]; then echo_i "failed"; fi
517status=`expr $status + $ret`
518
519# Test 52 - zone key disallowed, query refused
520n=`expr $n + 1`
521echo_i "test $n: zone key disallowed - query refused"
522ret=0
523$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
524grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
525grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
526if [ $ret != 0 ]; then echo_i "failed"; fi
527status=`expr $status + $ret`
528
529# Test 53 - zones over options, zones allow, query allowed
530n=`expr $n + 1`
531copy_setports ns2/named53.conf.in ns2/named.conf
532rndc_reload ns2 10.53.0.2
533
534echo_i "test $n: views over options, views allow - query allowed"
535ret=0
536$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
537grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
538grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
539if [ $ret != 0 ]; then echo_i "failed"; fi
540status=`expr $status + $ret`
541
542# Test 54 - zones over options, zones disallow, query refused
543n=`expr $n + 1`
544copy_setports ns2/named54.conf.in ns2/named.conf
545rndc_reload ns2 10.53.0.2
546
547echo_i "test $n: views over options, views disallow - query refused"
548ret=0
549$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
550grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
551grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
552if [ $ret != 0 ]; then echo_i "failed"; fi
553status=`expr $status + $ret`
554
555# Test 55 - zones over views, zones allow, query allowed
556n=`expr $n + 1`
557copy_setports ns2/named55.conf.in ns2/named.conf
558rndc_reload ns2 10.53.0.2
559
560echo_i "test $n: zones over views, views allow - query allowed"
561ret=0
562$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
563grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
564grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
565if [ $ret != 0 ]; then echo_i "failed"; fi
566status=`expr $status + $ret`
567
568# Test 56 - zones over views, zones disallow, query refused
569n=`expr $n + 1`
570copy_setports ns2/named56.conf.in ns2/named.conf
571rndc_reload ns2 10.53.0.2
572
573echo_i "test $n: zones over views, views disallow - query refused"
574ret=0
575$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
576grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
577grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
578if [ $ret != 0 ]; then echo_i "failed"; fi
579status=`expr $status + $ret`
580
581# Test 57 - zones over views, zones disallow, query refused (allow-query-on)
582n=`expr $n + 1`
583copy_setports ns2/named57.conf.in ns2/named.conf
584rndc_reload ns2 10.53.0.2
585
586echo_i "test $n: zones over views, allow-query-on"
587ret=0
588$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1
589grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
590grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1
591$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1
592grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1
593grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1
594if [ $ret != 0 ]; then echo_i "failed"; fi
595status=`expr $status + $ret`
596
597# Test 58 - allow-recursion default
598n=`expr $n + 1`
599echo_i "test $n: default allow-recursion configuration"
600ret=0
601$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n
602grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
603$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n
604grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
605if [ $ret != 0 ]; then echo_i "failed"; fi
606status=`expr $status + $ret`
607
608# Test 59 - allow-query-cache default
609n=`expr $n + 1`
610echo_i "test $n: default allow-query-cache configuration"
611ret=0
612$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n
613grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
614$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n
615grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
616if [ $ret != 0 ]; then echo_i "failed"; fi
617status=`expr $status + $ret`
618
619# Test 60 - block recursion-on, allow query-cache-on
620n=`expr $n + 1`
621copy_setports ns3/named2.conf.in ns3/named.conf
622rndc_reload ns3 10.53.0.3
623
624echo_i "test $n: block recursion-on, allow query-cache-on"
625ret=0
626# this should query the cache, and an answer should already be there
627$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
628grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1
629grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
630# this should require recursion and therefore can't get an answer
631$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n
632grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
633grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1
634if [ $ret != 0 ]; then echo_i "failed"; fi
635status=`expr $status + $ret`
636
637# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on
638n=`expr $n + 1`
639copy_setports ns3/named3.conf.in ns3/named.conf
640rndc_reload ns3 10.53.0.3
641
642echo_i "test $n: inheritance of allow-query-cache-on"
643ret=0
644# this should query the cache, an answer should already be there
645$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
646grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
647# this should be refused due to allow-recursion-on/allow-query-cache-on
648$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
649grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
650grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
651# this should require recursion and should be allowed
652$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n
653grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
654# this should require recursion and be refused
655$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n
656grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
657grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
658if [ $ret != 0 ]; then echo_i "failed"; fi
659status=`expr $status + $ret`
660
661# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on
662n=`expr $n + 1`
663copy_setports ns3/named4.conf.in ns3/named.conf
664rndc_reload ns3 10.53.0.3
665
666echo_i "test $n: inheritance of allow-recursion-on"
667ret=0
668# this should query the cache, an answer should already be there
669$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
670grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
671# this should be refused due to allow-recursion-on/allow-query-cache-on
672$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
673grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
674grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
675# this should require recursion and should be allowed
676$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n
677grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
678# this should require recursion and be refused
679$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n
680grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
681grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
682if [ $ret != 0 ]; then echo_i "failed"; fi
683status=`expr $status + $ret`
684
685echo_i "exit status: $status"
686[ $status -eq 0 ] || exit 1
687