ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Squashed commit of the following:

Browse Source 
commit aea73609ac5d41ed091360e94370798965f28f05
commit eef7f44c57a060b24a426eb8888e16176a0a69b1
commit a88a26d864ad399fa2d40e3b9659b4d26f454ca1
commit 1b90d59568e7e3b65690c6bd075cf4d60b03e454
Merge: 74d8f73 cd02924
commit 74d8f73ed553bb64a305e284905762f7ff0029aa
commit 9a59ef6bbd4befe91e5691e8b85afe1cb7ab0706
commit c63606a53b4f1bb7066b37d3cfe588e9dc21a119
commit 2c392a840c8838455d144ce163bd873bee400c97
commit 0241f53563e6e7bed462a883d98a8931f01e0980
commit 79fe22b5d6f04bdaa3073cf54d41952194e879e1
commit 351b3049625f2edd39729dd85413e961b97d4b3b
commit 7207674fc77c9a10d84c0cb94e36d1c09bb31459
commit 543ad34cf08f901c20b438c9d2f45482cff13d5e
commit fc45b99ce4438627fdcbeb4365695ba0065fa46f
commit c425207f57e0a5157372aa7edbb79b13170563e5
commit ef8c5e23ca284e0ea02f69ce1f356d537c19d93b
commit ba0d4e3aa51efe412cfa1d031651f949442d1802
commit 41c7969c7cb6884b93011f7ace3fd9522efc021e
  and more from CVS

for rt26172

Add
  - optional "recursive-only yes|no" to the response-policy statement
  - optional max-policy-ttl to limit the lies that "recursive-only no"
      can introduce into resolvers' caches
  - test that queries with RD=0 are not rewritten by default
  - performance smoke test

Change encoding of PASSTHRU action to "rpz-passthru".
      (The old encoding is still accepted.)
Fix rt26180  assert botch in zone_findrdataset() in this branch
     as well.

Fix missing signatures on NOERROR results despite RPZ hits
    when there are signatures and the client asks for DNSSEC,
This commit is contained in:
Vernon Schryver
2012-05-31 02:03:34 +00:00
parent 6fcf87505d
commit afaa290bb6
31 changed files with 1089 additions and 417 deletions
Download Patch File Download Diff File Expand all files Collapse all files

270
bin/tests/system/rpz/tests.sh
View File

@@ -19,12 +19,12 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
ns1=10.53.0.1 # root, defining the other two
ns2=10.53.0.2 # server whose answers are rewritten
ns3=10.53.0.3 # resolve that does the rewriting
ns4=10.53.0.4 # another server that is rewritten
RNDCCMD="$RNDC -c ../common/rndc.conf -s $ns3 -p 9953"
ns=10.53.0
ns1=$ns.1 # root, defining the others
ns2=$ns.2 # server whose answers are rewritten
ns3=$ns.3 # resolve that does the rewriting
ns4=$ns.4 # another server that is rewritten
ns5=$ns.5 # check performance with this server
HAVE_CORE=
@@ -44,9 +44,18 @@ fi
trap 'exit 1' 1 2 15
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s"
digcmd () {
#echo I:dig +noadd +noauth +nosearch +time=1 +tries=1 -p 5300 $* 1>&2
$DIG +noadd +noauth +nosearch +time=1 +tries=1 -p 5300 $*
digcmd_args="+noadd +nosearch +time=1 +tries=1 -p 5300 $*"
if ! expr "$digcmd_args" : '.*@' >/dev/null; then
digcmd_args="$digcmd_args @$ns3"
fi
if ! expr "$digcmd_args" : '.*+[no]*auth' >/dev/null; then
digcmd_args="+noauth $digcmd_args"
fi
#echo I:dig $digcmd_args 1>&2
$DIG $digcmd_args
}
# set DIGNM=file name for dig output
@@ -77,20 +86,41 @@ load_db () {
}
restart () {
$RNDCCMD stop >/dev/null 2>&1
rm -f ns3/*.jnl
for NM in ns3/bl*.db; do
cp -f ns3/base.db $NM
done
(cd ..; $PERL start.pl --noclean --restart rpz ns3)
# try to ensure that the server really has stopped
# and won't mess with ns$1/name.pid
if test -z "$HAVE_CORE" -a -f ns$1/named.pid; then
$RNDCCMD $ns$1 halt >/dev/null 2>&1
if test -f ns$1/named.pid; then
sleep 1
PID=`cat ns$1/named.pid 2>/dev/null`
if test -n "$PID"; then
echo "I:killing ns$1 server $PID"
kill -9 $PID
fi
fi
fi
rm -f ns$1/*.jnl
if test -f ns$1/base.db; then
for NM in ns$1/bl*.db; do
cp -f ns$1/base.db $NM
done
fi
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns$1
load_db
}
# $1=server and irrelevant args $2=error message
ckalive () {
$RNDCCMD status >/dev/null 2>&1 && return 0
CKALIVE_NS=`expr "$1" : '.*@ns\([1-9]\).*'`
if test -z "$CKALIVE_NS"; then
CKALIVE_NS=3
fi
eval CKALIVE_IP=\$ns$CKALIVE_NS
$RNDCCMD $CKALIVE_IP status >/dev/null 2>&1 && return 0
HAVE_CORE=yes
setret "$1"
restart
setret "$2"
# restart the server to avoid stalling waiting for it to stop
restart $CKALIVE_NS
return 1
}
@@ -113,15 +143,29 @@ end_group () {
sed -e 's/[ ]add[ ]/ delete /' $TEST_FILE | $NSUPDATE
TEST_FILE=
fi
ckalive $ns3 "I:failed; ns3 server crashed and restarted"
if test "$status" -eq 0; then
# look for complaints from rpz.c
EMSGS=`grep -l 'invalid rpz' */*.run`
if test -n "$EMSGS"; then
setret "I:'invalid rpz' complaints in $EMSGS starting with:"
grep 'invalid rpz' */*.run | sed -e '4,$d' -e 's/^/I: /'
fi
# look for complaints from rpz.c and query.c
EMSGS=`grep -l 'rpz .*failed' */*.run`
if test -n "$EMSGS"; then
setret "I:'rpz failed' complaints in $EMSGS starting with:"
grep 'rpz .*failed' */*.run | sed -e '4,$d' -e 's/^/I: /'
fi
fi
status=`expr $status + $ret`
ckalive "I:failed; server crashed"
GROUP_NM=
}
# $1=dig args $2=other dig output file
ckresult () {
#ckalive "I:server crashed by 'dig $1'" || return 1
if $PERL ../digcomp.pl $DIGNM $2 >/dev/null; then
#ckalive "$1" "I:server crashed by 'dig $1'" || return 1
if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then
rm -f ${DIGNM}*
return 0
fi
@@ -132,8 +176,8 @@ ckresult () {
# check only that the server does not crash
# $1=target domain $2=optional query type
nocrash () {
digcmd $* @$ns3 >/dev/null
ckalive "I:server crashed by 'dig $*'"
digcmd $* >/dev/null
ckalive "$*" "I:server crashed by 'dig $*'"
}
@@ -141,8 +185,10 @@ nocrash () {
# $1=target domain $2=optional query type
nxdomain () {
make_dignm
digcmd +noauth $* @$ns3 \
| sed -e 's/^[a-z].* IN CNAME /;xxx &/' >$DIGNM
digcmd $* \
| sed -e 's/^[a-z].* IN CNAME /;xxx &/' \
-e 's/^[a-z].* IN RRSIG /;xxx &/' \
>$DIGNM
ckresult "$*" proto.nxdomain
}
@@ -150,33 +196,37 @@ nxdomain () {
# $1=target domain $2=optional query type
nodata () {
make_dignm
digcmd +noauth $* @$ns3 \
digcmd $* \
| sed -e 's/^[a-z].* IN CNAME /;xxx &/' >$DIGNM
ckresult "$*" proto.nodata
}
# check rewrite to an address
# modify the output so that it is easily compared, but save the original line
# $1=IPv4 address, $2=target domain $3=optional query type
# $1=IPv4 address $2=digcmd args $3=optional TTL
addr () {
ADDR=$1
shift
ADDR_ESC=`echo "$ADDR" | sed -e 's/\./\\\\./g'`
make_dignm
digcmd +noauth $* @$ns3 >$DIGNM
#ckalive "I:server crashed by 'dig $*'" || return
if grep -i '^[a-z].* A '"$ADDR_ESC"'$' $DIGNM >/dev/null; then
rm -f ${DIGNM}*
return 0
digcmd $2 >$DIGNM
#ckalive "$2" "I:server crashed by 'dig $2'" || return 1
ADDR_ESC=`echo "$ADDR" | sed -e 's/\./\\\\./g'`
ADDR_TTL=`sed -n -e "s/^[-.a-z0-9]\{1,\} *\([0-9]*\) IN A\{1,4\} ${ADDR_ESC}\$/\1/p" $DIGNM`
if test -z "$ADDR_TTL"; then
setret "I:'dig $2' wrong; no address $ADDR record in $DIGNM"
return 1
fi
setret "I:'dig $*' wrong; no A $ADDR record in $DIGNM $2"
if test -n "$3" && test "$ADDR_TTL" -ne "$3"; then
setret "I:'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM"
return 1
fi
rm -f ${DIGNM}*
}
# check that a response is not rewritten
# $1=target domain $2=optional query type
nochange () {
make_dignm
digcmd $* @$ns3 >$DIGNM
digcmd $* >$DIGNM
digcmd $* @$ns2 >${DIGNM}_OK
ckresult "$*" ${DIGNM}_OK && rm -f ${DIGNM}_OK
}
@@ -185,23 +235,23 @@ nochange () {
here () {
make_dignm
sed -e 's/^[ ]*//' >${DIGNM}_OK
digcmd $* @$ns3 >$DIGNM
digcmd $* >$DIGNM
ckresult "$*" ${DIGNM}_OK
}
# make prototype files to check against rewritten results
digcmd +noauth nonexistent @$ns2 >proto.nxdomain
digcmd +noauth txt-only.tld2 @$ns2 >proto.nodata
digcmd nonexistent @$ns2 >proto.nxdomain
digcmd txt-only.tld2 @$ns2 >proto.nodata
status=0
start_group "QNAME rewrites" test1
nochange .
nxdomain a0-1.tld2
nodata a3-1.tld2
nodata a3-2.tld2
nodata sub.a3-2.tld2 # 5 no crash on DNAME
nochange . # 1 do not crash or rewrite root
nxdomain a0-1.tld2 # 2
nodata a3-1.tld2 # 3
nodata a3-2.tld2 # 4 no crash on DNAME
nodata sub.a3-2.tld2
nxdomain a4-2.tld2 # 6 rewrite based on CNAME target
nxdomain a4-2-cname.tld2 # 7
nodata a4-3-cname.tld2 # 8
@@ -209,32 +259,43 @@ addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement
addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard
addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME
addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain
addr 127.0.0.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone
addr 56.56.56.56 a3-6.tld2 # 14 wildcard CNAME
addr 57.57.57.57 a3-7.sub1.tld2 # 15 wildcard CNAME
addr 127.0.0.16 a4-5-cname3.tld2 # 16 CNAME chain
addr 127.0.0.17 a4-6-cname3.tld2 # 17 stop short in CNAME chain
nxdomain c1.crash2.tld3 # 18 assert in rbtdb.c
nochange a0-1.tld2 +norecurse
nxdomain a0-1.tld2 +dnssec
nxdomain a0-1.signed-tld2
nochange a0-1.signed-tld2 +dnssec
addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone
nochange a6-1.tld2 # 14
addr 127.6.2.1 a6-2.tld2 # 15
addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME
addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME
addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain
addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain
nochange a0-1.tld2 +norecurse # 20 check that RD=1 is required
nochange a3-1.tld2 +norecurse # 21
nochange a3-2.tld2 +norecurse # 22
nochange sub.a3-2.tld2 +norecurse # 23
nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c
nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures
nxdomain a0-1.tld2s # 26 simple DO=0 with signatures
nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures
nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain
nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain
nochange a0-1.tld2s srv +auth +dnssec # 30 no write for +DNSSEC and no record
nxdomain a0-1.tld2s srv # 31
end_group
start_group "IP rewrites" test2
nodata a3-1.tld2
nochange a3-2.tld2
nochange a4-1.tld2
nxdomain a4-2.tld2
nochange a4-2.tld2 -taaaa
nochange a4-2.tld2 -ttxt
nxdomain a4-2.tld2 -tany
nodata a4-3.tld2
nxdomain a3-1.tld2 -tAAAA
nochange a4-1-aaaa.tld2 -tAAAA
nodata a3-1.tld2 # 1 NODATA
nochange a3-2.tld2 # 2 no policy record so no change
nochange a4-1.tld2 # 3 obsolete PASSTHRU record style
nxdomain a4-2.tld2 # 4
nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite
nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite
nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite
nodata a4-3.tld2 # 8
nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy
nochange a4-1-aaaa.tld2 -taaaa # 10
addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address
addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone
addr 14.14.14.14 a5-4.tld2 # 13 prefer QNAME to IP
nochange a5-4.tld2 +norecurse # 14 check that RD=1 is required
nochange a4-4.tld2 # 15 PASSTHRU
nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c
end_group
@@ -256,7 +317,7 @@ end_group
if ./rpz nsdname; then
start_group "NSDNAME rewrites" test3
nochange a3-1.tld2
nochange a3-1.tld2 +dnssec # 2 this once caused problems
nochange a3-1.tld2 +dnssec # 2 this once caused problems
nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME
nxdomain a3-1.subsub.sub1.tld2
nxdomain a3-1.subsub.sub1.tld2 -tany
@@ -284,21 +345,29 @@ else
fi
# policies in ./test5 overridden by response-policy{} in ns3/named.conf
# and in ns5/named.conf
start_group "policy overrides" test5
addr 127.0.0.1 a3-1.tld2 # 1 bl-given
nochange a3-2.tld2 # 2 bl-passthru
nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru
nochange a3-4.tld2 # 4 bl-disabled
nodata a3-5.tld2 # 5 bl-nodata
nxdomain a3-6.tld2 # 6 bl-nxdomain
here +noauth a3-7.tld2 -tany <<'EOF' # 7 bl_cname
nodata a3-5.tld2 +norecurse # 6 bl-nodata recursive-only no
nodata a3-5.tld2 # 7 bl-nodata
nodata a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata recursive-only no
nodata a3-5.tld2s @$ns5 # 9 bl-nodata
nodata a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata break-dnssec
nxdomain a3-6.tld2 # 11 bl-nxdomain
here a3-7.tld2 -tany <<'EOF'
;; status: NOERROR, x
a3-7.tld2. 300 IN CNAME txt-only.tld2.
txt-only.tld2. 120 IN TXT "txt-only-tld2"
a3-7.tld2. x IN CNAME txt-only.tld2.
txt-only.tld2. x IN TXT "txt-only-tld2"
EOF
addr 58.58.58.58 a3-8.tld2 # 8 bl_wildcname
addr 59.59.59.59 a3-9.sub9.tld2 # 9 bl_wildcname
addr 12.12.12.12 a3-10.tld2 # 10 bl-garden
addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname
addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname
addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2
addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100
addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90
end_group
# check that miscellaneous bugs are still absent
@@ -312,12 +381,61 @@ for Q in RRSIG SIG ANY 'ANY +dnssec'; do
done
end_group
# restart the server to see if that creates a core file
if test -z "$HAVE_CORE"; then
$RNDCCMD halt
restart
test -s ns3/named.core && setret "I:found stray core file; memory leak?"
# superficial test for major performance bugs
QPERF=`sh qperf.sh`
if test -n "$QPERF"; then
perf () {
echo "I:checking performance $1"
# don't measure the costs of -d99
$RNDCCMD $ns5 notrace >/dev/null
$QPERF -1 -l2 -d ns5/requests -s $ns5 -p 5300 >ns5/$2.perf
ckalive $ns5 "I:failed; server #5 crashed"
}
trim () {
sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf
}
# Dry run to prime disk cache
# Otherwise a first test of either flavor is 25% low
perf 'to prime disk cache' rpz
# get queries/second with rpz
perf 'with rpz' rpz
# turn off rpz and measure queries/second again
# Don't wait for a clean stop. Clean stops of this server need seconds
# until the sockets are close. 5 or 10 seconds after that, the
# server really stops and deletes named.pid.
echo "# rpz off" >ns5/rpz-switch
PID=`cat ns5/named.pid`
test -z "$PID" || kill -9 "$PID"
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5
perf 'without rpz' norpz
NORPZ=`trim norpz`
RPZ=`trim rpz`
echo "I:$RPZ qps with RPZ versus $NORPZ qps without"
# fail if RPZ costs more than 100%
NORPZ2=`expr "$NORPZ" / 2`
if test "$RPZ" -le "$NORPZ2"; then
echo "I:rpz $RPZ qps too far below non-RPZ $NORPZ qps"
status=`expr $status + 1`
fi
else
echo "I:performance not checked; queryperf not available"
fi
# restart the main test RPZ server to see if that creates a core file
if test -z "$HAVE_CORE"; then
$PERL $SYSTEMTESTTOP/stop.pl . ns3
restart 3
HAVE_CORE=`find ns* -name '*core*' -print`
test -z "$HAVE_CORE" || setret "I:found $HAVE_CORE; memory leak?"
fi
echo "I:exit status: $status"
exit $status