tests.sh revision 1.1.1.5
1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# Test of allow-query statement. 15# allow-query takes an address match list and can be included in either the 16# options statement or in the zone statement. This test assumes that the 17# acl tests cover the details of the address match list and uses a limited 18# number of address match test cases to ensure that allow-query finds the 19# expected match. 20# Test list: 21# In options: 22# default (any), any, none, [localhost, localnets], 23# allowed address, not allowed address, denied address, 24# allowed key, not allowed key, denied key 25# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 26# 27# Each of these tests requires changing to a new configuration 28# file and using rndc to update the server 29# 30# In view, with nothing in options (default to any) 31# default (any), any, none, [localhost, localnets], 32# allowed address, not allowed address, denied address, 33# allowed key, not allowed key, denied key 34# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 35# 36# In view, with options set to none, view set to any 37# In view, with options set to any, view set to none 38# 39# In zone, with nothing in options (default to any) 40# any, none, [localhost, localnets], 41# allowed address, denied address, 42# allowed key, not allowed key, denied key 43# allowed acl, not allowed acl, denied acl (acls pointing to addresses), 44# 45# In zone, with options set to none, zone set to any 46# In zone, with options set to any, zone set to none 47# In zone, with view set to none, zone set to any 48# In zone, with view set to any, zone set to none 49# 50# zone types of primary, secondary and stub can be tested in parallel by 51# using multiple instances (ns2 as primary, ns3 as secondary, ns4 as stub) 52# and querying as necessary. 53# 54 55SYSTEMTESTTOP=.. 56. $SYSTEMTESTTOP/conf.sh 57 58DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" 59 60status=0 61n=0 62 63nextpart ns2/named.run > /dev/null 64 65# Test 1 - default, query allowed 66n=`expr $n + 1` 67echo_i "test $n: default - query allowed" 68ret=0 69$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 70grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 71grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 72if [ $ret != 0 ]; then echo_i "failed"; fi 73status=`expr $status + $ret` 74 75# Test 2 - explicit any, query allowed 76n=`expr $n + 1` 77copy_setports ns2/named02.conf.in ns2/named.conf 78rndc_reload ns2 10.53.0.2 79 80echo_i "test $n: explicit any - query allowed" 81ret=0 82$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 83grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 84grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 85if [ $ret != 0 ]; then echo_i "failed"; fi 86status=`expr $status + $ret` 87 88# Test 3 - none, query refused 89n=`expr $n + 1` 90copy_setports ns2/named03.conf.in ns2/named.conf 91rndc_reload ns2 10.53.0.2 92 93echo_i "test $n: none - query refused" 94ret=0 95$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 96grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 97grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 98if [ $ret != 0 ]; then echo_i "failed"; fi 99status=`expr $status + $ret` 100 101# Test 4 - address allowed, query allowed 102n=`expr $n + 1` 103copy_setports ns2/named04.conf.in ns2/named.conf 104rndc_reload ns2 10.53.0.2 105 106echo_i "test $n: address allowed - query allowed" 107ret=0 108$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 109grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 110grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 111if [ $ret != 0 ]; then echo_i "failed"; fi 112status=`expr $status + $ret` 113 114# Test 5 - address not allowed, query refused 115n=`expr $n + 1` 116copy_setports ns2/named05.conf.in ns2/named.conf 117rndc_reload ns2 10.53.0.2 118 119echo_i "test $n: address not allowed - query refused" 120ret=0 121$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 122grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 123grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 124if [ $ret != 0 ]; then echo_i "failed"; fi 125status=`expr $status + $ret` 126 127# Test 6 - address disallowed, query refused 128n=`expr $n + 1` 129copy_setports ns2/named06.conf.in ns2/named.conf 130rndc_reload ns2 10.53.0.2 131 132echo_i "test $n: address disallowed - query refused" 133ret=0 134$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 135grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 136grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 137if [ $ret != 0 ]; then echo_i "failed"; fi 138status=`expr $status + $ret` 139 140# Test 7 - acl allowed, query allowed 141n=`expr $n + 1` 142copy_setports ns2/named07.conf.in ns2/named.conf 143rndc_reload ns2 10.53.0.2 144 145echo_i "test $n: acl allowed - query allowed" 146ret=0 147$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 148grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 149grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 150if [ $ret != 0 ]; then echo_i "failed"; fi 151status=`expr $status + $ret` 152 153# Test 8 - acl not allowed, query refused 154n=`expr $n + 1` 155copy_setports ns2/named08.conf.in ns2/named.conf 156rndc_reload ns2 10.53.0.2 157 158echo_i "test $n: acl not allowed - query refused" 159ret=0 160$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 161grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 162grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 163if [ $ret != 0 ]; then echo_i "failed"; fi 164status=`expr $status + $ret` 165 166 167# Test 9 - acl disallowed, query refused 168n=`expr $n + 1` 169copy_setports ns2/named09.conf.in ns2/named.conf 170rndc_reload ns2 10.53.0.2 171 172echo_i "test $n: acl disallowed - query refused" 173ret=0 174$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 175grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 176grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 177if [ $ret != 0 ]; then echo_i "failed"; fi 178status=`expr $status + $ret` 179 180# Test 10 - key allowed, query allowed 181n=`expr $n + 1` 182copy_setports ns2/named10.conf.in ns2/named.conf 183rndc_reload ns2 10.53.0.2 184 185echo_i "test $n: key allowed - query allowed" 186ret=0 187$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 188grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 189grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 190if [ $ret != 0 ]; then echo_i "failed"; fi 191status=`expr $status + $ret` 192 193# Test 11 - key not allowed, query refused 194n=`expr $n + 1` 195copy_setports ns2/named11.conf.in ns2/named.conf 196rndc_reload ns2 10.53.0.2 197 198echo_i "test $n: key not allowed - query refused" 199ret=0 200$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 201grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 202grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 203if [ $ret != 0 ]; then echo_i "failed"; fi 204status=`expr $status + $ret` 205 206# Test 12 - key disallowed, query refused 207n=`expr $n + 1` 208copy_setports ns2/named12.conf.in ns2/named.conf 209rndc_reload ns2 10.53.0.2 210 211echo_i "test $n: key disallowed - query refused" 212ret=0 213$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 214grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 215grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 216if [ $ret != 0 ]; then echo_i "failed"; fi 217status=`expr $status + $ret` 218 219# The next set of tests check if allow-query works in a view 220 221n=20 222# Test 21 - views default, query allowed 223n=`expr $n + 1` 224copy_setports ns2/named21.conf.in ns2/named.conf 225rndc_reload ns2 10.53.0.2 226 227echo_i "test $n: views default - query allowed" 228ret=0 229$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 230grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 231grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 232if [ $ret != 0 ]; then echo_i "failed"; fi 233status=`expr $status + $ret` 234 235# Test 22 - views explicit any, query allowed 236n=`expr $n + 1` 237copy_setports ns2/named22.conf.in ns2/named.conf 238rndc_reload ns2 10.53.0.2 239 240echo_i "test $n: views explicit any - query allowed" 241ret=0 242$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 243grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 244grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 245if [ $ret != 0 ]; then echo_i "failed"; fi 246status=`expr $status + $ret` 247 248# Test 23 - views none, query refused 249n=`expr $n + 1` 250copy_setports ns2/named23.conf.in ns2/named.conf 251rndc_reload ns2 10.53.0.2 252 253echo_i "test $n: views none - query refused" 254ret=0 255$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 256grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 257grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 258if [ $ret != 0 ]; then echo_i "failed"; fi 259status=`expr $status + $ret` 260 261# Test 24 - views address allowed, query allowed 262n=`expr $n + 1` 263copy_setports ns2/named24.conf.in ns2/named.conf 264rndc_reload ns2 10.53.0.2 265 266echo_i "test $n: views address allowed - query allowed" 267ret=0 268$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 269grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 270grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 271if [ $ret != 0 ]; then echo_i "failed"; fi 272status=`expr $status + $ret` 273 274# Test 25 - views address not allowed, query refused 275n=`expr $n + 1` 276copy_setports ns2/named25.conf.in ns2/named.conf 277rndc_reload ns2 10.53.0.2 278 279echo_i "test $n: views address not allowed - query refused" 280ret=0 281$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 282grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 283grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 284if [ $ret != 0 ]; then echo_i "failed"; fi 285status=`expr $status + $ret` 286 287# Test 26 - views address disallowed, query refused 288n=`expr $n + 1` 289copy_setports ns2/named26.conf.in ns2/named.conf 290rndc_reload ns2 10.53.0.2 291 292echo_i "test $n: views address disallowed - query refused" 293ret=0 294$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 295grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 296grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 297if [ $ret != 0 ]; then echo_i "failed"; fi 298status=`expr $status + $ret` 299 300# Test 27 - views acl allowed, query allowed 301n=`expr $n + 1` 302copy_setports ns2/named27.conf.in ns2/named.conf 303rndc_reload ns2 10.53.0.2 304 305echo_i "test $n: views acl allowed - query allowed" 306ret=0 307$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 308grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 309grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 310if [ $ret != 0 ]; then echo_i "failed"; fi 311status=`expr $status + $ret` 312 313# Test 28 - views acl not allowed, query refused 314n=`expr $n + 1` 315copy_setports ns2/named28.conf.in ns2/named.conf 316rndc_reload ns2 10.53.0.2 317 318echo_i "test $n: views acl not allowed - query refused" 319ret=0 320$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 321grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 322grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 323if [ $ret != 0 ]; then echo_i "failed"; fi 324status=`expr $status + $ret` 325 326# Test 29 - views acl disallowed, query refused 327n=`expr $n + 1` 328copy_setports ns2/named29.conf.in ns2/named.conf 329rndc_reload ns2 10.53.0.2 330 331echo_i "test $n: views acl disallowed - query refused" 332ret=0 333$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 334grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 335grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 336if [ $ret != 0 ]; then echo_i "failed"; fi 337status=`expr $status + $ret` 338 339# Test 30 - views key allowed, query allowed 340n=`expr $n + 1` 341copy_setports ns2/named30.conf.in ns2/named.conf 342rndc_reload ns2 10.53.0.2 343 344echo_i "test $n: views key allowed - query allowed" 345ret=0 346$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 347grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 348grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 349if [ $ret != 0 ]; then echo_i "failed"; fi 350status=`expr $status + $ret` 351 352# Test 31 - views key not allowed, query refused 353n=`expr $n + 1` 354copy_setports ns2/named31.conf.in ns2/named.conf 355rndc_reload ns2 10.53.0.2 356 357echo_i "test $n: views key not allowed - query refused" 358ret=0 359$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 360grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 361grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 362if [ $ret != 0 ]; then echo_i "failed"; fi 363status=`expr $status + $ret` 364 365# Test 32 - views key disallowed, query refused 366n=`expr $n + 1` 367copy_setports ns2/named32.conf.in ns2/named.conf 368rndc_reload ns2 10.53.0.2 369 370echo_i "test $n: views key disallowed - query refused" 371ret=0 372$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 373grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 374grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 375if [ $ret != 0 ]; then echo_i "failed"; fi 376status=`expr $status + $ret` 377 378# Test 33 - views over options, views allow, query allowed 379n=`expr $n + 1` 380copy_setports ns2/named33.conf.in ns2/named.conf 381rndc_reload ns2 10.53.0.2 382 383echo_i "test $n: views over options, views allow - query allowed" 384ret=0 385$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 386grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 387grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 388if [ $ret != 0 ]; then echo_i "failed"; fi 389status=`expr $status + $ret` 390 391# Test 34 - views over options, views disallow, query refused 392n=`expr $n + 1` 393copy_setports ns2/named34.conf.in ns2/named.conf 394rndc_reload ns2 10.53.0.2 395 396echo_i "test $n: views over options, views disallow - query refused" 397ret=0 398$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 399grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 400grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 401if [ $ret != 0 ]; then echo_i "failed"; fi 402status=`expr $status + $ret` 403 404# Tests for allow-query in the zone statements 405 406n=40 407 408# Test 41 - zone default, query allowed 409n=`expr $n + 1` 410copy_setports ns2/named40.conf.in ns2/named.conf 411rndc_reload ns2 10.53.0.2 412 413echo_i "test $n: zone default - query allowed" 414ret=0 415$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 416grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 417grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 418if [ $ret != 0 ]; then echo_i "failed"; fi 419status=`expr $status + $ret` 420 421# Test 42 - zone explicit any, query allowed 422n=`expr $n + 1` 423echo_i "test $n: zone explicit any - query allowed" 424ret=0 425$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 426grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 427grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 428if [ $ret != 0 ]; then echo_i "failed"; fi 429status=`expr $status + $ret` 430 431# Test 43 - zone none, query refused 432n=`expr $n + 1` 433echo_i "test $n: zone none - query refused" 434ret=0 435$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 436grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 437grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 438if [ $ret != 0 ]; then echo_i "failed"; fi 439status=`expr $status + $ret` 440 441# Test 44 - zone address allowed, query allowed 442n=`expr $n + 1` 443echo_i "test $n: zone address allowed - query allowed" 444ret=0 445$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 446grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 447grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 448if [ $ret != 0 ]; then echo_i "failed"; fi 449status=`expr $status + $ret` 450 451# Test 45 - zone address not allowed, query refused 452n=`expr $n + 1` 453echo_i "test $n: zone address not allowed - query refused" 454ret=0 455$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 456grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 457grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 458if [ $ret != 0 ]; then echo_i "failed"; fi 459status=`expr $status + $ret` 460 461# Test 46 - zone address disallowed, query refused 462n=`expr $n + 1` 463echo_i "test $n: zone address disallowed - query refused" 464ret=0 465$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 466grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 467grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 468if [ $ret != 0 ]; then echo_i "failed"; fi 469status=`expr $status + $ret` 470 471# Test 47 - zone acl allowed, query allowed 472n=`expr $n + 1` 473echo_i "test $n: zone acl allowed - query allowed" 474ret=0 475$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 476grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 477grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 478if [ $ret != 0 ]; then echo_i "failed"; fi 479status=`expr $status + $ret` 480 481# Test 48 - zone acl not allowed, query refused 482n=`expr $n + 1` 483echo_i "test $n: zone acl not allowed - query refused" 484ret=0 485$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 486grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 487grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 488if [ $ret != 0 ]; then echo_i "failed"; fi 489status=`expr $status + $ret` 490 491# Test 49 - zone acl disallowed, query refused 492n=`expr $n + 1` 493echo_i "test $n: zone acl disallowed - query refused" 494ret=0 495$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 496grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 497grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 498if [ $ret != 0 ]; then echo_i "failed"; fi 499status=`expr $status + $ret` 500 501# Test 50 - zone key allowed, query allowed 502n=`expr $n + 1` 503echo_i "test $n: zone key allowed - query allowed" 504ret=0 505$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 506grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 507grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 508if [ $ret != 0 ]; then echo_i "failed"; fi 509status=`expr $status + $ret` 510 511# Test 51 - zone key not allowed, query refused 512n=`expr $n + 1` 513echo_i "test $n: zone key not allowed - query refused" 514ret=0 515$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 516grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 517grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 518if [ $ret != 0 ]; then echo_i "failed"; fi 519status=`expr $status + $ret` 520 521# Test 52 - zone key disallowed, query refused 522n=`expr $n + 1` 523echo_i "test $n: zone key disallowed - query refused" 524ret=0 525$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 526grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 527grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 528if [ $ret != 0 ]; then echo_i "failed"; fi 529status=`expr $status + $ret` 530 531# Test 53 - zones over options, zones allow, query allowed 532n=`expr $n + 1` 533copy_setports ns2/named53.conf.in ns2/named.conf 534rndc_reload ns2 10.53.0.2 535 536echo_i "test $n: views over options, views allow - query allowed" 537ret=0 538$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 539grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 540grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 541if [ $ret != 0 ]; then echo_i "failed"; fi 542status=`expr $status + $ret` 543 544# Test 54 - zones over options, zones disallow, query refused 545n=`expr $n + 1` 546copy_setports ns2/named54.conf.in ns2/named.conf 547rndc_reload ns2 10.53.0.2 548 549echo_i "test $n: views over options, views disallow - query refused" 550ret=0 551$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 552grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 553grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 554if [ $ret != 0 ]; then echo_i "failed"; fi 555status=`expr $status + $ret` 556 557# Test 55 - zones over views, zones allow, query allowed 558n=`expr $n + 1` 559copy_setports ns2/named55.conf.in ns2/named.conf 560rndc_reload ns2 10.53.0.2 561 562echo_i "test $n: zones over views, views allow - query allowed" 563ret=0 564$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 565grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 566grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 567if [ $ret != 0 ]; then echo_i "failed"; fi 568status=`expr $status + $ret` 569 570# Test 56 - zones over views, zones disallow, query refused 571n=`expr $n + 1` 572copy_setports ns2/named56.conf.in ns2/named.conf 573rndc_reload ns2 10.53.0.2 574 575echo_i "test $n: zones over views, views disallow - query refused" 576ret=0 577$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 578grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 579grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 580if [ $ret != 0 ]; then echo_i "failed"; fi 581status=`expr $status + $ret` 582 583# Test 57 - zones over views, zones disallow, query refused (allow-query-on) 584n=`expr $n + 1` 585copy_setports ns2/named57.conf.in ns2/named.conf 586rndc_reload ns2 10.53.0.2 587 588echo_i "test $n: zones over views, allow-query-on" 589ret=0 590$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1 591grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 592grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1 593$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1 594grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1 595grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1 596if [ $ret != 0 ]; then echo_i "failed"; fi 597status=`expr $status + $ret` 598 599# Test 58 - allow-recursion default 600n=`expr $n + 1` 601echo_i "test $n: default allow-recursion configuration" 602ret=0 603$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n 604grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 605$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n 606grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 607if [ $ret != 0 ]; then echo_i "failed"; fi 608status=`expr $status + $ret` 609 610# Test 59 - allow-query-cache default 611n=`expr $n + 1` 612echo_i "test $n: default allow-query-cache configuration" 613ret=0 614$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n 615grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 616$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n 617grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 618if [ $ret != 0 ]; then echo_i "failed"; fi 619status=`expr $status + $ret` 620 621# Test 60 - block recursion-on, allow query-cache-on 622n=`expr $n + 1` 623copy_setports ns3/named2.conf.in ns3/named.conf 624rndc_reload ns3 10.53.0.3 625 626echo_i "test $n: block recursion-on, allow query-cache-on" 627ret=0 628# this should query the cache, and an answer should already be there 629$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n 630grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1 631grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 632# this should require recursion and therefore can't get an answer 633$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n 634grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 635grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1 636if [ $ret != 0 ]; then echo_i "failed"; fi 637status=`expr $status + $ret` 638 639# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on 640n=`expr $n + 1` 641copy_setports ns3/named3.conf.in ns3/named.conf 642rndc_reload ns3 10.53.0.3 643 644echo_i "test $n: inheritance of allow-query-cache-on" 645ret=0 646# this should query the cache, an answer should already be there 647$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n 648grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 649# this should be refused due to allow-recursion-on/allow-query-cache-on 650$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n 651grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 652grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 653# this should require recursion and should be allowed 654$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n 655grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 656# this should require recursion and be refused 657$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n 658grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 659grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 660if [ $ret != 0 ]; then echo_i "failed"; fi 661status=`expr $status + $ret` 662 663# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on 664n=`expr $n + 1` 665copy_setports ns3/named4.conf.in ns3/named.conf 666rndc_reload ns3 10.53.0.3 667 668echo_i "test $n: inheritance of allow-recursion-on" 669ret=0 670# this should query the cache, an answer should already be there 671$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n 672grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 673# this should be refused due to allow-recursion-on/allow-query-cache-on 674$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n 675grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 676grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 677# this should require recursion and should be allowed 678$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n 679grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 680# this should require recursion and be refused 681$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n 682grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 683grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 684if [ $ret != 0 ]; then echo_i "failed"; fi 685status=`expr $status + $ret` 686 687echo_i "exit status: $status" 688[ $status -eq 0 ] || exit 1 689