ckdnsrps.sh revision 1.1.1.4
1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16# Say on stdout whether to test DNSRPS 17# and create dnsrps.conf and dnsrps-secondary.conf 18# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf 19# and differ from dnsrpz.conf which is used by dnsrpzd. 20 21. ../conf.sh 22 23DNSRPS_CMD=../rpz/dnsrps 24 25AS_NS= 26TEST_DNSRPS= 27MCONF=dnsrps.conf 28SCONF=dnsrps-secondary.conf 29USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]" 30while getopts "xADM:S:" c; do 31 case $c in 32 x) 33 set -x 34 DEBUG=-x 35 ;; 36 A) AS_NS=yes ;; 37 D) TEST_DNSRPS=yes ;; 38 M) MCONF="$OPTARG" ;; 39 S) SCONF="$OPTARG" ;; 40 *) 41 echo "$USAGE" 1>&2 42 exit 1 43 ;; 44 esac 45done 46shift $(expr $OPTIND - 1 || true) 47if [ "$#" -ne 0 ]; then 48 echo "$USAGE" 1>&2 49 exit 1 50fi 51 52# erase any existing conf files 53cat /dev/null >$MCONF 54cat /dev/null >$SCONF 55 56add_conf() { 57 echo "$*" >>$MCONF 58 echo "$*" >>$SCONF 59} 60 61if ! $FEATURETEST --enable-dnsrps; then 62 if [ -n "$TEST_DNSRPS" ]; then 63 add_conf "## DNSRPS disabled at compile time" 64 fi 65 add_conf "#skip" 66 exit 0 67fi 68 69if [ -z "$TEST_DNSRPS" ]; then 70 add_conf "## testing with native RPZ" 71 add_conf '#skip' 72 exit 0 73else 74 add_conf "## testing with DNSRPS" 75fi 76 77if [ ! -x "$DNSRPS_CMD" ]; then 78 add_conf "## make $DNSRPS_CMD to test DNSRPS" 79 add_conf '#skip' 80 exit 0 81fi 82 83if $DNSRPS_CMD -a >/dev/null; then 84 : 85else 86 add_conf "## DNSRPS provider library is not available" 87 add_conf '#skip' 88 exit 0 89fi 90 91CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf 92 dnsrpzd-sock ../dnsrpzd.sock 93 dnsrpzd-rpzf ../dnsrpzd.rpzf 94 dnsrpzd-args '-dddd -L stdout' 95 log-level 3" 96 97PRIMARY="$CMN" 98if [ -n "$AS_NS" ]; then 99 PRIMARY="$PRIMARY 100 qname-as-ns yes 101 ip-as-ns yes" 102fi 103 104# write dnsrps settings for primary resolver 105cat <<EOF >>$MCONF 106$PRIMARY }; 107EOF 108 109# write dnsrps settings for resolvers that should not start dnsrpzd 110cat <<EOF >>$SCONF 111$CMN 112 dnsrpzd '' }; # do not start dnsrpzd 113EOF 114 115# DNSRPS is available. 116# The test should fail if the license is bad. 117add_conf "dnsrps-enable yes;" 118 119# Use alt-dnsrpzd-license.conf if it exists 120CUR_L=dnsrpzd-license-cur.conf 121ALT_L=alt-dnsrpzd-license.conf 122# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist 123[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf 124if [ -s $ALT_L ]; then 125 SRC_L=$ALT_L 126 USE_ALT= 127else 128 SRC_L=../rpz/dnsrpzd-license.conf 129 USE_ALT="## consider installing alt-dnsrpzd-license.conf" 130fi 131cp $SRC_L $CUR_L 132 133# parse $CUR_L for the license zone name, primary IP addresses, and optional 134# transfer-source IP addresses 135eval $(sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' \ 136 -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ 137 -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ 138 -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ 139 -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ 140 -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ 141 -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ 142 $CUR_L) 143if [ -z "$NAME" ]; then 144 add_conf "## no DNSRPS tests; no license domain name in $SRC_L" 145 add_conf '#fail' 146 exit 0 147fi 148if [ -z "$IPV4" ]; then 149 IPV4=license1.fastrpz.com 150 TS4= 151fi 152if [ -z "$IPV6" ]; then 153 IPV6=license1.fastrpz.com 154 TS6= 155fi 156 157# This TSIG key is common and NOT a secret 158KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1' 159 160# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems 161if $($DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ 162 | grep -i "^$NAME.*TXT" >/dev/null); then 163 exit 0 164fi 165if $($DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ 166 | grep -i "^$NAME.*TXT" >/dev/null); then 167 exit 0 168fi 169 170add_conf "## DNSRPS lacks a valid license via $SRC_L" 171[ -z "$USE_ALT" ] || add_conf "$USE_ALT" 172add_conf '#fail' 173