1 #!/bin/sh 2 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # SPDX-License-Identifier: MPL-2.0 6 # 7 # This Source Code Form is subject to the terms of the Mozilla Public 8 # License, v. 2.0. If a copy of the MPL was not distributed with this 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 # 11 # See the COPYRIGHT file distributed with this work for additional 12 # information regarding copyright ownership. 13 14 # Test of allow-query statement. 15 # allow-query takes an address match list and can be included in either the 16 # options statement or in the zone statement. This test assumes that the 17 # acl tests cover the details of the address match list and uses a limited 18 # number of address match test cases to ensure that allow-query finds the 19 # expected match. 20 # Test list: 21 # In options: 22 # default (any), any, none, [localhost, localnets], 23 # allowed address, not allowed address, denied address, 24 # allowed key, not allowed key, denied key 25 # allowed acl, not allowed acl, denied acl (acls pointing to addresses) 26 # 27 # Each of these tests requires changing to a new configuration 28 # file and using rndc to update the server 29 # 30 # In view, with nothing in options (default to any) 31 # default (any), any, none, [localhost, localnets], 32 # allowed address, not allowed address, denied address, 33 # allowed key, not allowed key, denied key 34 # allowed acl, not allowed acl, denied acl (acls pointing to addresses) 35 # 36 # In view, with options set to none, view set to any 37 # In view, with options set to any, view set to none 38 # 39 # In zone, with nothing in options (default to any) 40 # any, none, [localhost, localnets], 41 # allowed address, denied address, 42 # allowed key, not allowed key, denied key 43 # allowed acl, not allowed acl, denied acl (acls pointing to addresses), 44 # 45 # In zone, with options set to none, zone set to any 46 # In zone, with options set to any, zone set to none 47 # In zone, with view set to none, zone set to any 48 # In zone, with view set to any, zone set to none 49 # 50 # zone types of primary, secondary and stub can be tested in parallel by 51 # using multiple instances (ns2 as primary, ns3 as secondary, ns4 as stub) 52 # and querying as necessary. 53 # 54 55 set -e 56 57 . ../conf.sh 58 59 DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" 60 61 status=0 62 n=0 63 64 nextpart ns2/named.run >/dev/null 65 66 # Test 1 - default, query allowed 67 n=$((n + 1)) 68 echo_i "test $n: default - query allowed" 69 ret=0 70 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 71 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 72 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 73 if [ $ret != 0 ]; then echo_i "failed"; fi 74 status=$((status + ret)) 75 76 # Test 2 - explicit any, query allowed 77 n=$((n + 1)) 78 cp ns2/named02.conf ns2/named.conf 79 rndc_reload ns2 10.53.0.2 80 81 echo_i "test $n: explicit any - query allowed" 82 ret=0 83 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 84 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 85 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 86 if [ $ret != 0 ]; then echo_i "failed"; fi 87 status=$((status + ret)) 88 89 # Test 3 - none, query refused 90 n=$((n + 1)) 91 cp ns2/named03.conf ns2/named.conf 92 rndc_reload ns2 10.53.0.2 93 94 echo_i "test $n: none - query refused" 95 ret=0 96 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 97 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 98 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 99 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 100 nextpart ns2/named.run | grep 'recursion not enabled for view' >/dev/null || ret=1 101 if [ $ret != 0 ]; then echo_i "failed"; fi 102 status=$((status + ret)) 103 104 n=$((n + 1)) 105 DIGNOEDNS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +noedns -p ${PORT}" 106 107 echo_i "test $n: none - query refused (no edns)" 108 ret=0 109 $DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 110 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 111 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null && ret=1 112 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 113 if [ $ret != 0 ]; then echo_i "failed"; fi 114 status=$((status + ret)) 115 116 # Test 4 - address allowed, query allowed 117 n=$((n + 1)) 118 cp ns2/named04.conf ns2/named.conf 119 rndc_reload ns2 10.53.0.2 120 121 echo_i "test $n: address allowed - query allowed" 122 ret=0 123 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 124 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 125 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 126 if [ $ret != 0 ]; then echo_i "failed"; fi 127 status=$((status + ret)) 128 129 # Test 5 - address not allowed, query refused 130 n=$((n + 1)) 131 cp ns2/named05.conf ns2/named.conf 132 rndc_reload ns2 10.53.0.2 133 134 echo_i "test $n: address not allowed - query refused" 135 ret=0 136 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 137 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 138 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 139 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 140 if [ $ret != 0 ]; then echo_i "failed"; fi 141 status=$((status + ret)) 142 143 # Test 6 - address disallowed, query refused 144 n=$((n + 1)) 145 cp ns2/named06.conf ns2/named.conf 146 rndc_reload ns2 10.53.0.2 147 148 echo_i "test $n: address disallowed - query refused" 149 ret=0 150 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 151 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 152 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 153 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 154 if [ $ret != 0 ]; then echo_i "failed"; fi 155 status=$((status + ret)) 156 157 # Test 7 - acl allowed, query allowed 158 n=$((n + 1)) 159 cp ns2/named07.conf ns2/named.conf 160 rndc_reload ns2 10.53.0.2 161 162 echo_i "test $n: acl allowed - query allowed" 163 ret=0 164 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 165 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 166 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 167 if [ $ret != 0 ]; then echo_i "failed"; fi 168 status=$((status + ret)) 169 170 # Test 8 - acl not allowed, query refused 171 n=$((n + 1)) 172 cp ns2/named08.conf ns2/named.conf 173 rndc_reload ns2 10.53.0.2 174 175 echo_i "test $n: acl not allowed - query refused" 176 ret=0 177 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 178 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 179 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 180 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 181 if [ $ret != 0 ]; then echo_i "failed"; fi 182 status=$((status + ret)) 183 184 # Test 9 - acl disallowed, query refused 185 n=$((n + 1)) 186 cp ns2/named09.conf ns2/named.conf 187 rndc_reload ns2 10.53.0.2 188 189 echo_i "test $n: acl disallowed - query refused" 190 ret=0 191 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 192 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 193 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 194 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 195 if [ $ret != 0 ]; then echo_i "failed"; fi 196 status=$((status + ret)) 197 198 # Test 10 - key allowed, query allowed 199 n=$((n + 1)) 200 cp ns2/named10.conf ns2/named.conf 201 rndc_reload ns2 10.53.0.2 202 203 echo_i "test $n: key allowed - query allowed" 204 ret=0 205 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a >dig.out.ns2.$n || ret=1 206 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 207 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 208 if [ $ret != 0 ]; then echo_i "failed"; fi 209 status=$((status + ret)) 210 211 # Test 11 - key not allowed, query refused 212 n=$((n + 1)) 213 cp ns2/named11.conf ns2/named.conf 214 rndc_reload ns2 10.53.0.2 215 216 echo_i "test $n: key not allowed - query refused" 217 ret=0 218 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a >dig.out.ns2.$n || ret=1 219 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 220 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 221 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 222 if [ $ret != 0 ]; then echo_i "failed"; fi 223 status=$((status + ret)) 224 225 # Test 12 - key disallowed, query refused 226 n=$((n + 1)) 227 cp ns2/named12.conf ns2/named.conf 228 rndc_reload ns2 10.53.0.2 229 230 echo_i "test $n: key disallowed - query refused" 231 ret=0 232 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a >dig.out.ns2.$n || ret=1 233 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 234 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 235 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 236 if [ $ret != 0 ]; then echo_i "failed"; fi 237 status=$((status + ret)) 238 239 # The next set of tests check if allow-query works in a view 240 241 n=20 242 # Test 21 - views default, query allowed 243 n=$((n + 1)) 244 cp ns2/named21.conf ns2/named.conf 245 rndc_reload ns2 10.53.0.2 246 247 echo_i "test $n: views default - query allowed" 248 ret=0 249 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 250 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 251 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 252 if [ $ret != 0 ]; then echo_i "failed"; fi 253 status=$((status + ret)) 254 255 # Test 22 - views explicit any, query allowed 256 n=$((n + 1)) 257 cp ns2/named22.conf ns2/named.conf 258 rndc_reload ns2 10.53.0.2 259 260 echo_i "test $n: views explicit any - query allowed" 261 ret=0 262 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 263 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 264 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 265 if [ $ret != 0 ]; then echo_i "failed"; fi 266 status=$((status + ret)) 267 268 # Test 23 - views none, query refused 269 n=$((n + 1)) 270 cp ns2/named23.conf ns2/named.conf 271 rndc_reload ns2 10.53.0.2 272 273 echo_i "test $n: views none - query refused" 274 ret=0 275 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 276 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 277 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 278 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 279 if [ $ret != 0 ]; then echo_i "failed"; fi 280 status=$((status + ret)) 281 282 # Test 24 - views address allowed, query allowed 283 n=$((n + 1)) 284 cp ns2/named24.conf ns2/named.conf 285 rndc_reload ns2 10.53.0.2 286 287 echo_i "test $n: views address allowed - query allowed" 288 ret=0 289 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 290 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 291 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 292 if [ $ret != 0 ]; then echo_i "failed"; fi 293 status=$((status + ret)) 294 295 # Test 25 - views address not allowed, query refused 296 n=$((n + 1)) 297 cp ns2/named25.conf ns2/named.conf 298 rndc_reload ns2 10.53.0.2 299 300 echo_i "test $n: views address not allowed - query refused" 301 ret=0 302 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 303 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 304 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 305 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 306 if [ $ret != 0 ]; then echo_i "failed"; fi 307 status=$((status + ret)) 308 309 # Test 26 - views address disallowed, query refused 310 n=$((n + 1)) 311 cp ns2/named26.conf ns2/named.conf 312 rndc_reload ns2 10.53.0.2 313 314 echo_i "test $n: views address disallowed - query refused" 315 ret=0 316 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 317 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 318 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 319 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 320 if [ $ret != 0 ]; then echo_i "failed"; fi 321 status=$((status + ret)) 322 323 # Test 27 - views acl allowed, query allowed 324 n=$((n + 1)) 325 cp ns2/named27.conf ns2/named.conf 326 rndc_reload ns2 10.53.0.2 327 328 echo_i "test $n: views acl allowed - query allowed" 329 ret=0 330 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 331 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 332 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 333 if [ $ret != 0 ]; then echo_i "failed"; fi 334 status=$((status + ret)) 335 336 # Test 28 - views acl not allowed, query refused 337 n=$((n + 1)) 338 cp ns2/named28.conf ns2/named.conf 339 rndc_reload ns2 10.53.0.2 340 341 echo_i "test $n: views acl not allowed - query refused" 342 ret=0 343 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 344 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 345 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 346 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 347 if [ $ret != 0 ]; then echo_i "failed"; fi 348 status=$((status + ret)) 349 350 # Test 29 - views acl disallowed, query refused 351 n=$((n + 1)) 352 cp ns2/named29.conf ns2/named.conf 353 rndc_reload ns2 10.53.0.2 354 355 echo_i "test $n: views acl disallowed - query refused" 356 ret=0 357 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 358 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 359 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 360 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 361 if [ $ret != 0 ]; then echo_i "failed"; fi 362 status=$((status + ret)) 363 364 # Test 30 - views key allowed, query allowed 365 n=$((n + 1)) 366 cp ns2/named30.conf ns2/named.conf 367 rndc_reload ns2 10.53.0.2 368 369 echo_i "test $n: views key allowed - query allowed" 370 ret=0 371 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a >dig.out.ns2.$n || ret=1 372 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 373 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 374 if [ $ret != 0 ]; then echo_i "failed"; fi 375 status=$((status + ret)) 376 377 # Test 31 - views key not allowed, query refused 378 n=$((n + 1)) 379 cp ns2/named31.conf ns2/named.conf 380 rndc_reload ns2 10.53.0.2 381 382 echo_i "test $n: views key not allowed - query refused" 383 ret=0 384 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a >dig.out.ns2.$n || ret=1 385 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 386 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 387 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 388 if [ $ret != 0 ]; then echo_i "failed"; fi 389 status=$((status + ret)) 390 391 # Test 32 - views key disallowed, query refused 392 n=$((n + 1)) 393 cp ns2/named32.conf ns2/named.conf 394 rndc_reload ns2 10.53.0.2 395 396 echo_i "test $n: views key disallowed - query refused" 397 ret=0 398 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a >dig.out.ns2.$n || ret=1 399 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 400 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 401 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 402 if [ $ret != 0 ]; then echo_i "failed"; fi 403 status=$((status + ret)) 404 405 # Test 33 - views over options, views allow, query allowed 406 n=$((n + 1)) 407 cp ns2/named33.conf ns2/named.conf 408 rndc_reload ns2 10.53.0.2 409 410 echo_i "test $n: views over options, views allow - query allowed" 411 ret=0 412 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 413 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 414 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 415 if [ $ret != 0 ]; then echo_i "failed"; fi 416 status=$((status + ret)) 417 418 # Test 34 - views over options, views disallow, query refused 419 n=$((n + 1)) 420 cp ns2/named34.conf ns2/named.conf 421 rndc_reload ns2 10.53.0.2 422 423 echo_i "test $n: views over options, views disallow - query refused" 424 ret=0 425 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 426 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 427 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 428 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 429 if [ $ret != 0 ]; then echo_i "failed"; fi 430 status=$((status + ret)) 431 432 # Tests for allow-query in the zone statements 433 434 n=40 435 436 # Test 41 - zone default, query allowed 437 n=$((n + 1)) 438 cp ns2/named40.conf ns2/named.conf 439 rndc_reload ns2 10.53.0.2 440 441 echo_i "test $n: zone default - query allowed" 442 ret=0 443 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 444 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 445 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 446 if [ $ret != 0 ]; then echo_i "failed"; fi 447 status=$((status + ret)) 448 449 # Test 42 - zone explicit any, query allowed 450 n=$((n + 1)) 451 echo_i "test $n: zone explicit any - query allowed" 452 ret=0 453 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a >dig.out.ns2.$n || ret=1 454 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 455 grep '^a.any.example' dig.out.ns2.$n >/dev/null || ret=1 456 if [ $ret != 0 ]; then echo_i "failed"; fi 457 status=$((status + ret)) 458 459 # Test 43 - zone none, query refused 460 n=$((n + 1)) 461 echo_i "test $n: zone none - query refused" 462 ret=0 463 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a >dig.out.ns2.$n || ret=1 464 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 465 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 466 grep '^a.none.example' dig.out.ns2.$n >/dev/null && ret=1 467 if [ $ret != 0 ]; then echo_i "failed"; fi 468 status=$((status + ret)) 469 470 # Test 44 - zone address allowed, query allowed 471 n=$((n + 1)) 472 echo_i "test $n: zone address allowed - query allowed" 473 ret=0 474 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a >dig.out.ns2.$n || ret=1 475 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 476 grep '^a.addrallow.example' dig.out.ns2.$n >/dev/null || ret=1 477 if [ $ret != 0 ]; then echo_i "failed"; fi 478 status=$((status + ret)) 479 480 # Test 45 - zone address not allowed, query refused 481 n=$((n + 1)) 482 echo_i "test $n: zone address not allowed - query refused" 483 ret=0 484 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a >dig.out.ns2.$n || ret=1 485 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 486 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 487 grep '^a.addrnotallow.example' dig.out.ns2.$n >/dev/null && ret=1 488 if [ $ret != 0 ]; then echo_i "failed"; fi 489 status=$((status + ret)) 490 491 # Test 46 - zone address disallowed, query refused 492 n=$((n + 1)) 493 echo_i "test $n: zone address disallowed - query refused" 494 ret=0 495 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a >dig.out.ns2.$n || ret=1 496 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 497 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 498 grep '^a.addrdisallow.example' dig.out.ns2.$n >/dev/null && ret=1 499 if [ $ret != 0 ]; then echo_i "failed"; fi 500 status=$((status + ret)) 501 502 # Test 47 - zone acl allowed, query allowed 503 n=$((n + 1)) 504 echo_i "test $n: zone acl allowed - query allowed" 505 ret=0 506 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a >dig.out.ns2.$n || ret=1 507 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 508 grep '^a.aclallow.example' dig.out.ns2.$n >/dev/null || ret=1 509 if [ $ret != 0 ]; then echo_i "failed"; fi 510 status=$((status + ret)) 511 512 # Test 48 - zone acl not allowed, query refused 513 n=$((n + 1)) 514 echo_i "test $n: zone acl not allowed - query refused" 515 ret=0 516 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.$n || ret=1 517 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 518 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 519 grep '^a.aclnotallow.example' dig.out.ns2.$n >/dev/null && ret=1 520 if [ $ret != 0 ]; then echo_i "failed"; fi 521 status=$((status + ret)) 522 523 # Test 49 - zone acl disallowed, query refused 524 n=$((n + 1)) 525 echo_i "test $n: zone acl disallowed - query refused" 526 ret=0 527 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a >dig.out.ns2.$n || ret=1 528 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 529 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 530 grep '^a.acldisallow.example' dig.out.ns2.$n >/dev/null && ret=1 531 if [ $ret != 0 ]; then echo_i "failed"; fi 532 status=$((status + ret)) 533 534 # Test 50 - zone key allowed, query allowed 535 n=$((n + 1)) 536 echo_i "test $n: zone key allowed - query allowed" 537 ret=0 538 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keyallow.example a >dig.out.ns2.$n || ret=1 539 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 540 grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1 541 if [ $ret != 0 ]; then echo_i "failed"; fi 542 status=$((status + ret)) 543 544 # Test 51 - zone key not allowed, query refused 545 n=$((n + 1)) 546 echo_i "test $n: zone key not allowed - query refused" 547 ret=0 548 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.keyallow.example a >dig.out.ns2.$n || ret=1 549 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 550 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 551 grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1 552 if [ $ret != 0 ]; then echo_i "failed"; fi 553 status=$((status + ret)) 554 555 # Test 52 - zone key disallowed, query refused 556 n=$((n + 1)) 557 echo_i "test $n: zone key disallowed - query refused" 558 ret=0 559 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keydisallow.example a >dig.out.ns2.$n || ret=1 560 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 561 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 562 grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1 563 if [ $ret != 0 ]; then echo_i "failed"; fi 564 status=$((status + ret)) 565 566 # Test 53 - zones over options, zones allow, query allowed 567 n=$((n + 1)) 568 cp ns2/named53.conf ns2/named.conf 569 rndc_reload ns2 10.53.0.2 570 571 echo_i "test $n: views over options, views allow - query allowed" 572 ret=0 573 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 574 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 575 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 576 if [ $ret != 0 ]; then echo_i "failed"; fi 577 status=$((status + ret)) 578 579 # Test 54 - zones over options, zones disallow, query refused 580 n=$((n + 1)) 581 cp ns2/named54.conf ns2/named.conf 582 rndc_reload ns2 10.53.0.2 583 584 echo_i "test $n: views over options, views disallow - query refused" 585 ret=0 586 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 587 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 588 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 589 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 590 if [ $ret != 0 ]; then echo_i "failed"; fi 591 status=$((status + ret)) 592 593 # Test 55 - zones over views, zones allow, query allowed 594 n=$((n + 1)) 595 cp ns2/named55.conf ns2/named.conf 596 rndc_reload ns2 10.53.0.2 597 598 echo_i "test $n: zones over views, views allow - query allowed" 599 ret=0 600 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 601 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 602 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 603 if [ $ret != 0 ]; then echo_i "failed"; fi 604 status=$((status + ret)) 605 606 # Test 56 - zones over views, zones disallow, query refused 607 n=$((n + 1)) 608 cp ns2/named56.conf ns2/named.conf 609 rndc_reload ns2 10.53.0.2 610 611 echo_i "test $n: zones over views, views disallow - query refused" 612 ret=0 613 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 614 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 615 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 616 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 617 if [ $ret != 0 ]; then echo_i "failed"; fi 618 status=$((status + ret)) 619 620 # Test 57 - zones over views, zones disallow, query refused (allow-query-on) 621 n=$((n + 1)) 622 cp ns2/named57.conf ns2/named.conf 623 rndc_reload ns2 10.53.0.2 624 625 echo_i "test $n: zones over views, allow-query-on" 626 ret=0 627 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.1.$n || ret=1 628 grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1 629 grep '^a.normal.example' dig.out.ns2.1.$n >/dev/null || ret=1 630 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.2.$n || ret=1 631 grep 'status: REFUSED' dig.out.ns2.2.$n >/dev/null || ret=1 632 grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n >/dev/null || ret=1 633 grep '^a.aclnotallow.example' dig.out.ns2.2.$n >/dev/null && ret=1 634 if [ $ret != 0 ]; then echo_i "failed"; fi 635 status=$((status + ret)) 636 637 # Test 58 - allow-recursion default 638 n=$((n + 1)) 639 echo_i "test $n: default allow-recursion configuration" 640 ret=0 641 nextpart ns3/named.run >/dev/null 642 $DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a >dig.out.ns3.1.$n || ret=1 643 grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1 644 $DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a >dig.out.ns3.2.$n || ret=1 645 grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 646 grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 647 nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1 648 if [ $ret != 0 ]; then echo_i "failed"; fi 649 status=$((status + ret)) 650 651 # Test 59 - allow-query-cache default 652 n=$((n + 1)) 653 echo_i "test $n: default allow-query-cache configuration" 654 ret=0 655 $DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . >dig.out.ns3.1.$n || ret=1 656 grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1 657 $DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . >dig.out.ns3.2.$n || ret=1 658 grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 659 grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 660 nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1 661 if [ $ret != 0 ]; then echo_i "failed"; fi 662 status=$((status + ret)) 663 664 # Test 60 - block recursion-on, allow query-cache-on 665 n=$((n + 1)) 666 cp ns3/named2.conf ns3/named.conf 667 rndc_reload ns3 10.53.0.3 668 669 echo_i "test $n: block recursion-on, allow query-cache-on" 670 ret=0 671 # this should query the cache, and an answer should already be there 672 $DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n || ret=1 673 grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1 674 grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 675 # this should require recursion and therefore can't get an answer 676 $DIG -p ${PORT} @10.53.0.3 b.normal.example a >dig.out.ns3.2.$n || ret=1 677 grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 678 grep 'ANSWER: 0' dig.out.ns3.2.$n >/dev/null || ret=1 679 nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 680 if [ $ret != 0 ]; then echo_i "failed"; fi 681 status=$((status + ret)) 682 683 # Test 61 - inheritance of allow-query-cache-on from allow-recursion-on 684 n=$((n + 1)) 685 cp ns3/named3.conf ns3/named.conf 686 rndc_reload ns3 10.53.0.3 687 688 echo_i "test $n: inheritance of allow-query-cache-on" 689 ret=0 690 # this should query the cache, an answer should already be there 691 $DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n || ret=1 692 grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 693 # this should be refused due to allow-recursion-on/allow-query-cache-on 694 $DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n || ret=1 695 grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 696 grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 697 grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 698 # this should require recursion and should be allowed 699 $DIG -p ${PORT} @10.53.0.3 c.normal.example a >dig.out.ns3.3.$n || ret=1 700 grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1 701 # this should require recursion and be refused 702 $DIG -p ${PORT} @10.53.1.2 d.normal.example a >dig.out.ns3.4.$n || ret=1 703 grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1 704 grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1 705 grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1 706 nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 707 if [ $ret != 0 ]; then echo_i "failed"; fi 708 status=$((status + ret)) 709 710 # Test 62 - inheritance of allow-recursion-on from allow-query-cache-on 711 n=$((n + 1)) 712 cp ns3/named4.conf ns3/named.conf 713 rndc_reload ns3 10.53.0.3 714 715 echo_i "test $n: inheritance of allow-recursion-on" 716 ret=0 717 # this should query the cache, an answer should already be there 718 $DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n || ret=1 719 grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 720 # this should be refused due to allow-recursion-on/allow-query-cache-on 721 $DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n || ret=1 722 grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 723 grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 724 grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 725 # this should require recursion and should be allowed 726 $DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.3.$n || ret=1 727 grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1 728 # this should require recursion and be refused 729 $DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.4.$n || ret=1 730 grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1 731 grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1 732 grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1 733 nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 734 if [ $ret != 0 ]; then echo_i "failed"; fi 735 status=$((status + ret)) 736 737 echo_i "exit status: $status" 738 [ $status -eq 0 ] || exit 1 739
Indexes created Fri Apr 24 00:22:58 UTC 2026