tests.sh revision 1.1.1.5 
1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14# Test of allow-query statement.
15# allow-query takes an address match list and can be included in either the
16# options statement or in the zone statement.  This test assumes that the
17# acl tests cover the details of the address match list and uses a limited
18# number of address match test cases to ensure that allow-query finds the
19# expected match.
20# Test list:
21# In options:
22# default (any), any, none, [localhost, localnets],
23# allowed address, not allowed address, denied address,
24# allowed key, not allowed key, denied key
25# allowed acl, not allowed acl, denied acl (acls pointing to addresses)
26#
27# Each of these tests requires changing to a new configuration
28# file and using rndc to update the server
29#
30# In view, with nothing in options (default to any)
31# default (any), any, none, [localhost, localnets],
32# allowed address, not allowed address, denied address,
33# allowed key, not allowed key, denied key
34# allowed acl, not allowed acl, denied acl (acls pointing to addresses)
35#
36# In view, with options set to none, view set to any
37# In view, with options set to any, view set to none
38#
39# In zone, with nothing in options (default to any)
40# any, none, [localhost, localnets],
41# allowed address, denied address,
42# allowed key, not allowed key, denied key
43# allowed acl, not allowed acl, denied acl (acls pointing to addresses),
44#
45# In zone, with options set to none, zone set to any
46# In zone, with options set to any, zone set to none
47# In zone, with view set to none, zone set to any
48# In zone, with view set to any, zone set to none
49#
50# zone types of primary, secondary and stub can be tested in parallel by
51# using multiple instances (ns2 as primary, ns3 as secondary, ns4 as stub)
52# and querying as necessary.
53#
54
55SYSTEMTESTTOP=..
56. $SYSTEMTESTTOP/conf.sh
57
58DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}"
59
60status=0
61n=0
62
63nextpart ns2/named.run > /dev/null
64
65# Test 1 - default, query allowed
66n=`expr $n + 1`
67echo_i "test $n: default - query allowed"
68ret=0
69$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
70grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
71grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
72if [ $ret != 0 ]; then echo_i "failed"; fi
73status=`expr $status + $ret`
74
75# Test 2 - explicit any, query allowed
76n=`expr $n + 1`
77copy_setports ns2/named02.conf.in ns2/named.conf
78rndc_reload ns2 10.53.0.2
79
80echo_i "test $n: explicit any - query allowed"
81ret=0
82$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
83grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
84grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
85if [ $ret != 0 ]; then echo_i "failed"; fi
86status=`expr $status + $ret`
87
88# Test 3 - none, query refused
89n=`expr $n + 1`
90copy_setports ns2/named03.conf.in ns2/named.conf
91rndc_reload ns2 10.53.0.2
92
93echo_i "test $n: none - query refused"
94ret=0
95$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
96grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
97grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
98if [ $ret != 0 ]; then echo_i "failed"; fi
99status=`expr $status + $ret`
100
101# Test 4 - address allowed, query allowed
102n=`expr $n + 1`
103copy_setports ns2/named04.conf.in ns2/named.conf
104rndc_reload ns2 10.53.0.2
105
106echo_i "test $n: address allowed - query allowed"
107ret=0
108$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
109grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
110grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
111if [ $ret != 0 ]; then echo_i "failed"; fi
112status=`expr $status + $ret`
113
114# Test 5 - address not allowed, query refused
115n=`expr $n + 1`
116copy_setports ns2/named05.conf.in ns2/named.conf
117rndc_reload ns2 10.53.0.2
118
119echo_i "test $n: address not allowed - query refused"
120ret=0
121$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
122grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
123grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
124if [ $ret != 0 ]; then echo_i "failed"; fi
125status=`expr $status + $ret`
126
127# Test 6 - address disallowed, query refused
128n=`expr $n + 1`
129copy_setports ns2/named06.conf.in ns2/named.conf
130rndc_reload ns2 10.53.0.2
131
132echo_i "test $n: address disallowed - query refused"
133ret=0
134$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
135grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
136grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
137if [ $ret != 0 ]; then echo_i "failed"; fi
138status=`expr $status + $ret`
139
140# Test 7 - acl allowed, query allowed
141n=`expr $n + 1`
142copy_setports ns2/named07.conf.in ns2/named.conf
143rndc_reload ns2 10.53.0.2
144
145echo_i "test $n: acl allowed - query allowed"
146ret=0
147$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
148grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
149grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
150if [ $ret != 0 ]; then echo_i "failed"; fi
151status=`expr $status + $ret`
152
153# Test 8 - acl not allowed, query refused
154n=`expr $n + 1`
155copy_setports ns2/named08.conf.in ns2/named.conf
156rndc_reload ns2 10.53.0.2
157
158echo_i "test $n: acl not allowed - query refused"
159ret=0
160$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
161grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
162grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
163if [ $ret != 0 ]; then echo_i "failed"; fi
164status=`expr $status + $ret`
165
166
167# Test 9 - acl disallowed, query refused
168n=`expr $n + 1`
169copy_setports ns2/named09.conf.in ns2/named.conf
170rndc_reload ns2 10.53.0.2
171
172echo_i "test $n: acl disallowed - query refused"
173ret=0
174$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
175grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
176grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
177if [ $ret != 0 ]; then echo_i "failed"; fi
178status=`expr $status + $ret`
179
180# Test 10 - key allowed, query allowed
181n=`expr $n + 1`
182copy_setports ns2/named10.conf.in ns2/named.conf
183rndc_reload ns2 10.53.0.2
184
185echo_i "test $n: key allowed - query allowed"
186ret=0
187$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
188grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
189grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
190if [ $ret != 0 ]; then echo_i "failed"; fi
191status=`expr $status + $ret`
192
193# Test 11 - key not allowed, query refused
194n=`expr $n + 1`
195copy_setports ns2/named11.conf.in ns2/named.conf
196rndc_reload ns2 10.53.0.2
197
198echo_i "test $n: key not allowed - query refused"
199ret=0
200$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
201grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
202grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
203if [ $ret != 0 ]; then echo_i "failed"; fi
204status=`expr $status + $ret`
205
206# Test 12 - key disallowed, query refused
207n=`expr $n + 1`
208copy_setports ns2/named12.conf.in ns2/named.conf
209rndc_reload ns2 10.53.0.2
210
211echo_i "test $n: key disallowed - query refused"
212ret=0
213$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
214grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
215grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
216if [ $ret != 0 ]; then echo_i "failed"; fi
217status=`expr $status + $ret`
218
219# The next set of tests check if allow-query works in a view
220
221n=20
222# Test 21 - views default, query allowed
223n=`expr $n + 1`
224copy_setports ns2/named21.conf.in ns2/named.conf
225rndc_reload ns2 10.53.0.2
226
227echo_i "test $n: views default - query allowed"
228ret=0
229$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
230grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
231grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
232if [ $ret != 0 ]; then echo_i "failed"; fi
233status=`expr $status + $ret`
234
235# Test 22 - views explicit any, query allowed
236n=`expr $n + 1`
237copy_setports ns2/named22.conf.in ns2/named.conf
238rndc_reload ns2 10.53.0.2
239
240echo_i "test $n: views explicit any - query allowed"
241ret=0
242$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
243grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
244grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
245if [ $ret != 0 ]; then echo_i "failed"; fi
246status=`expr $status + $ret`
247
248# Test 23 - views none, query refused
249n=`expr $n + 1`
250copy_setports ns2/named23.conf.in ns2/named.conf
251rndc_reload ns2 10.53.0.2
252
253echo_i "test $n: views none - query refused"
254ret=0
255$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
256grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
257grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
258if [ $ret != 0 ]; then echo_i "failed"; fi
259status=`expr $status + $ret`
260
261# Test 24 - views address allowed, query allowed
262n=`expr $n + 1`
263copy_setports ns2/named24.conf.in ns2/named.conf
264rndc_reload ns2 10.53.0.2
265
266echo_i "test $n: views address allowed - query allowed"
267ret=0
268$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
269grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
270grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
271if [ $ret != 0 ]; then echo_i "failed"; fi
272status=`expr $status + $ret`
273
274# Test 25 - views address not allowed, query refused
275n=`expr $n + 1`
276copy_setports ns2/named25.conf.in ns2/named.conf
277rndc_reload ns2 10.53.0.2
278
279echo_i "test $n: views address not allowed - query refused"
280ret=0
281$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
282grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
283grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
284if [ $ret != 0 ]; then echo_i "failed"; fi
285status=`expr $status + $ret`
286
287# Test 26 - views address disallowed, query refused
288n=`expr $n + 1`
289copy_setports ns2/named26.conf.in ns2/named.conf
290rndc_reload ns2 10.53.0.2
291
292echo_i "test $n: views address disallowed - query refused"
293ret=0
294$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
295grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
296grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
297if [ $ret != 0 ]; then echo_i "failed"; fi
298status=`expr $status + $ret`
299
300# Test 27 - views acl allowed, query allowed
301n=`expr $n + 1`
302copy_setports ns2/named27.conf.in ns2/named.conf
303rndc_reload ns2 10.53.0.2
304
305echo_i "test $n: views acl allowed - query allowed"
306ret=0
307$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
308grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
309grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
310if [ $ret != 0 ]; then echo_i "failed"; fi
311status=`expr $status + $ret`
312
313# Test 28 - views acl not allowed, query refused
314n=`expr $n + 1`
315copy_setports ns2/named28.conf.in ns2/named.conf
316rndc_reload ns2 10.53.0.2
317
318echo_i "test $n: views acl not allowed - query refused"
319ret=0
320$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
321grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
322grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
323if [ $ret != 0 ]; then echo_i "failed"; fi
324status=`expr $status + $ret`
325
326# Test 29 - views acl disallowed, query refused
327n=`expr $n + 1`
328copy_setports ns2/named29.conf.in ns2/named.conf
329rndc_reload ns2 10.53.0.2
330
331echo_i "test $n: views acl disallowed - query refused"
332ret=0
333$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
334grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
335grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
336if [ $ret != 0 ]; then echo_i "failed"; fi
337status=`expr $status + $ret`
338
339# Test 30 - views key allowed, query allowed
340n=`expr $n + 1`
341copy_setports ns2/named30.conf.in ns2/named.conf
342rndc_reload ns2 10.53.0.2
343
344echo_i "test $n: views key allowed - query allowed"
345ret=0
346$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
347grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
348grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
349if [ $ret != 0 ]; then echo_i "failed"; fi
350status=`expr $status + $ret`
351
352# Test 31 - views key not allowed, query refused
353n=`expr $n + 1`
354copy_setports ns2/named31.conf.in ns2/named.conf
355rndc_reload ns2 10.53.0.2
356
357echo_i "test $n: views key not allowed - query refused"
358ret=0
359$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
360grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
361grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
362if [ $ret != 0 ]; then echo_i "failed"; fi
363status=`expr $status + $ret`
364
365# Test 32 - views key disallowed, query refused
366n=`expr $n + 1`
367copy_setports ns2/named32.conf.in ns2/named.conf
368rndc_reload ns2 10.53.0.2
369
370echo_i "test $n: views key disallowed - query refused"
371ret=0
372$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
373grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
374grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
375if [ $ret != 0 ]; then echo_i "failed"; fi
376status=`expr $status + $ret`
377
378# Test 33 - views over options, views allow, query allowed
379n=`expr $n + 1`
380copy_setports ns2/named33.conf.in ns2/named.conf
381rndc_reload ns2 10.53.0.2
382
383echo_i "test $n: views over options, views allow - query allowed"
384ret=0
385$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
386grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
387grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
388if [ $ret != 0 ]; then echo_i "failed"; fi
389status=`expr $status + $ret`
390
391# Test 34 - views over options, views disallow, query refused
392n=`expr $n + 1`
393copy_setports ns2/named34.conf.in ns2/named.conf
394rndc_reload ns2 10.53.0.2
395
396echo_i "test $n: views over options, views disallow - query refused"
397ret=0
398$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
399grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
400grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
401if [ $ret != 0 ]; then echo_i "failed"; fi
402status=`expr $status + $ret`
403
404# Tests for allow-query in the zone statements
405
406n=40
407
408# Test 41 - zone default, query allowed
409n=`expr $n + 1`
410copy_setports ns2/named40.conf.in ns2/named.conf
411rndc_reload ns2 10.53.0.2
412
413echo_i "test $n: zone default - query allowed"
414ret=0
415$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
416grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
417grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
418if [ $ret != 0 ]; then echo_i "failed"; fi
419status=`expr $status + $ret`
420
421# Test 42 - zone explicit any, query allowed
422n=`expr $n + 1`
423echo_i "test $n: zone explicit any - query allowed"
424ret=0
425$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
426grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
427grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1
428if [ $ret != 0 ]; then echo_i "failed"; fi
429status=`expr $status + $ret`
430
431# Test 43 - zone none, query refused
432n=`expr $n + 1`
433echo_i "test $n: zone none - query refused"
434ret=0
435$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
436grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
437grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
438if [ $ret != 0 ]; then echo_i "failed"; fi
439status=`expr $status + $ret`
440
441# Test 44 - zone address allowed, query allowed
442n=`expr $n + 1`
443echo_i "test $n: zone address allowed - query allowed"
444ret=0
445$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
446grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
447grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1
448if [ $ret != 0 ]; then echo_i "failed"; fi
449status=`expr $status + $ret`
450
451# Test 45 - zone address not allowed, query refused
452n=`expr $n + 1`
453echo_i "test $n: zone address not allowed - query refused"
454ret=0
455$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
456grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
457grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
458if [ $ret != 0 ]; then echo_i "failed"; fi
459status=`expr $status + $ret`
460
461# Test 46 - zone address disallowed, query refused
462n=`expr $n + 1`
463echo_i "test $n: zone address disallowed - query refused"
464ret=0
465$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
466grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
467grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
468if [ $ret != 0 ]; then echo_i "failed"; fi
469status=`expr $status + $ret`
470
471# Test 47 - zone acl allowed, query allowed
472n=`expr $n + 1`
473echo_i "test $n: zone acl allowed - query allowed"
474ret=0
475$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
476grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
477grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1
478if [ $ret != 0 ]; then echo_i "failed"; fi
479status=`expr $status + $ret`
480
481# Test 48 - zone acl not allowed, query refused
482n=`expr $n + 1`
483echo_i "test $n: zone acl not allowed - query refused"
484ret=0
485$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
486grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
487grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
488if [ $ret != 0 ]; then echo_i "failed"; fi
489status=`expr $status + $ret`
490
491# Test 49 - zone acl disallowed, query refused
492n=`expr $n + 1`
493echo_i "test $n: zone acl disallowed - query refused"
494ret=0
495$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
496grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
497grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
498if [ $ret != 0 ]; then echo_i "failed"; fi
499status=`expr $status + $ret`
500
501# Test 50 - zone key allowed, query allowed
502n=`expr $n + 1`
503echo_i "test $n: zone key allowed - query allowed"
504ret=0
505$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
506grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
507grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
508if [ $ret != 0 ]; then echo_i "failed"; fi
509status=`expr $status + $ret`
510
511# Test 51 - zone key not allowed, query refused
512n=`expr $n + 1`
513echo_i "test $n: zone key not allowed - query refused"
514ret=0
515$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
516grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
517grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
518if [ $ret != 0 ]; then echo_i "failed"; fi
519status=`expr $status + $ret`
520
521# Test 52 - zone key disallowed, query refused
522n=`expr $n + 1`
523echo_i "test $n: zone key disallowed - query refused"
524ret=0
525$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
526grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
527grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
528if [ $ret != 0 ]; then echo_i "failed"; fi
529status=`expr $status + $ret`
530
531# Test 53 - zones over options, zones allow, query allowed
532n=`expr $n + 1`
533copy_setports ns2/named53.conf.in ns2/named.conf
534rndc_reload ns2 10.53.0.2
535
536echo_i "test $n: views over options, views allow - query allowed"
537ret=0
538$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
539grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
540grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
541if [ $ret != 0 ]; then echo_i "failed"; fi
542status=`expr $status + $ret`
543
544# Test 54 - zones over options, zones disallow, query refused
545n=`expr $n + 1`
546copy_setports ns2/named54.conf.in ns2/named.conf
547rndc_reload ns2 10.53.0.2
548
549echo_i "test $n: views over options, views disallow - query refused"
550ret=0
551$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
552grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
553grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
554if [ $ret != 0 ]; then echo_i "failed"; fi
555status=`expr $status + $ret`
556
557# Test 55 - zones over views, zones allow, query allowed
558n=`expr $n + 1`
559copy_setports ns2/named55.conf.in ns2/named.conf
560rndc_reload ns2 10.53.0.2
561
562echo_i "test $n: zones over views, views allow - query allowed"
563ret=0
564$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
565grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
566grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
567if [ $ret != 0 ]; then echo_i "failed"; fi
568status=`expr $status + $ret`
569
570# Test 56 - zones over views, zones disallow, query refused
571n=`expr $n + 1`
572copy_setports ns2/named56.conf.in ns2/named.conf
573rndc_reload ns2 10.53.0.2
574
575echo_i "test $n: zones over views, views disallow - query refused"
576ret=0
577$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
578grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
579grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
580if [ $ret != 0 ]; then echo_i "failed"; fi
581status=`expr $status + $ret`
582
583# Test 57 - zones over views, zones disallow, query refused (allow-query-on)
584n=`expr $n + 1`
585copy_setports ns2/named57.conf.in ns2/named.conf
586rndc_reload ns2 10.53.0.2
587
588echo_i "test $n: zones over views, allow-query-on"
589ret=0
590$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1
591grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
592grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1
593$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1
594grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1
595grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1
596if [ $ret != 0 ]; then echo_i "failed"; fi
597status=`expr $status + $ret`
598
599# Test 58 - allow-recursion default
600n=`expr $n + 1`
601echo_i "test $n: default allow-recursion configuration"
602ret=0
603$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n
604grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
605$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n
606grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
607if [ $ret != 0 ]; then echo_i "failed"; fi
608status=`expr $status + $ret`
609
610# Test 59 - allow-query-cache default
611n=`expr $n + 1`
612echo_i "test $n: default allow-query-cache configuration"
613ret=0
614$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n
615grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
616$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n
617grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
618if [ $ret != 0 ]; then echo_i "failed"; fi
619status=`expr $status + $ret`
620
621# Test 60 - block recursion-on, allow query-cache-on
622n=`expr $n + 1`
623copy_setports ns3/named2.conf.in ns3/named.conf
624rndc_reload ns3 10.53.0.3
625
626echo_i "test $n: block recursion-on, allow query-cache-on"
627ret=0
628# this should query the cache, and an answer should already be there
629$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
630grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1
631grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
632# this should require recursion and therefore can't get an answer
633$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n
634grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
635grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1
636if [ $ret != 0 ]; then echo_i "failed"; fi
637status=`expr $status + $ret`
638
639# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on
640n=`expr $n + 1`
641copy_setports ns3/named3.conf.in ns3/named.conf
642rndc_reload ns3 10.53.0.3
643
644echo_i "test $n: inheritance of allow-query-cache-on"
645ret=0
646# this should query the cache, an answer should already be there
647$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
648grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
649# this should be refused due to allow-recursion-on/allow-query-cache-on
650$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
651grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
652grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
653# this should require recursion and should be allowed
654$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n
655grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
656# this should require recursion and be refused
657$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n
658grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
659grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
660if [ $ret != 0 ]; then echo_i "failed"; fi
661status=`expr $status + $ret`
662
663# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on
664n=`expr $n + 1`
665copy_setports ns3/named4.conf.in ns3/named.conf
666rndc_reload ns3 10.53.0.3
667
668echo_i "test $n: inheritance of allow-recursion-on"
669ret=0
670# this should query the cache, an answer should already be there
671$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
672grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
673# this should be refused due to allow-recursion-on/allow-query-cache-on
674$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
675grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
676grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
677# this should require recursion and should be allowed
678$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n
679grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
680# this should require recursion and be refused
681$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n
682grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
683grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
684if [ $ret != 0 ]; then echo_i "failed"; fi
685status=`expr $status + $ret`
686
687echo_i "exit status: $status"
688[ $status -eq 0 ] || exit 1
689