Merge branch 'tkrizek/split-up-dnsrps-test-cases' into 'bind-9.18'

[9.18] Split up the dnsrps and native variants of rpz system tests See merge request isc-projects/bind9!8661
2024-01-18 17:26:57 +00:00
parent 231dc3ff15 575728dee8
commit d629795f36
15 changed files with 960 additions and 1270 deletions
--- a/bin/tests/system/ckdnsrps.sh
+++ b/bin/tests/system/ckdnsrps.sh
@@ -1,172 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-# Say on stdout whether to test DNSRPS
-#	and create dnsrps.conf and dnsrps-secondary.conf
-# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf
-#	and differ from dnsrpz.conf which is used by dnsrpzd.
-
-. ../conf.sh
-
-DNSRPS_CMD=../rpz/dnsrps
-
-AS_NS=
-TEST_DNSRPS=
-MCONF=dnsrps.conf
-SCONF=dnsrps-secondary.conf
-USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]"
-while getopts "xADM:S:" c; do
-  case $c in
-    x)
-      set -x
-      DEBUG=-x
-      ;;
-    A) AS_NS=yes ;;
-    D) TEST_DNSRPS=yes ;;
-    M) MCONF="$OPTARG" ;;
-    S) SCONF="$OPTARG" ;;
-    *)
-      echo "$USAGE" 1>&2
-      exit 1
-      ;;
-  esac
-done
-shift $(expr $OPTIND - 1 || true)
-if [ "$#" -ne 0 ]; then
-  echo "$USAGE" 1>&2
-  exit 1
-fi
-
-# erase any existing conf files
-cat /dev/null >$MCONF
-cat /dev/null >$SCONF
-
-add_conf() {
-  echo "$*" >>$MCONF
-  echo "$*" >>$SCONF
-}
-
-if ! $FEATURETEST --enable-dnsrps; then
-  if [ -n "$TEST_DNSRPS" ]; then
-    add_conf "## DNSRPS disabled at compile time"
-  fi
-  add_conf "#skip"
-  exit 0
-fi
-
-if [ -z "$TEST_DNSRPS" ]; then
-  add_conf "## testing with native RPZ"
-  add_conf '#skip'
-  exit 0
-else
-  add_conf "## testing with DNSRPS"
-fi
-
-if [ ! -x "$DNSRPS_CMD" ]; then
-  add_conf "## make $DNSRPS_CMD to test DNSRPS"
-  add_conf '#skip'
-  exit 0
-fi
-
-if $DNSRPS_CMD -a >/dev/null; then
-  :
-else
-  add_conf "## DNSRPS provider library is not available"
-  add_conf '#skip'
-  exit 0
-fi
-
-CMN="	dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf
-			 dnsrpzd-sock ../dnsrpzd.sock
-			 dnsrpzd-rpzf ../dnsrpzd.rpzf
-			 dnsrpzd-args '-dddd -L stdout'
-			 log-level 3"
-
-PRIMARY="$CMN"
-if [ -n "$AS_NS" ]; then
-  PRIMARY="$PRIMARY
-			qname-as-ns yes
-			ip-as-ns yes"
-fi
-
-# write dnsrps settings for primary resolver
-cat <<EOF >>$MCONF
-$PRIMARY };
-EOF
-
-# write dnsrps settings for resolvers that should not start dnsrpzd
-cat <<EOF >>$SCONF
-$CMN
-			dnsrpzd '' };	# do not start dnsrpzd
-EOF
-
-# DNSRPS is available.
-# The test should fail if the license is bad.
-add_conf "dnsrps-enable yes;"
-
-# Use alt-dnsrpzd-license.conf if it exists
-CUR_L=dnsrpzd-license-cur.conf
-ALT_L=alt-dnsrpzd-license.conf
-# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist
-[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf
-if [ -s $ALT_L ]; then
-  SRC_L=$ALT_L
-  USE_ALT=
-else
-  SRC_L=../rpz/dnsrpzd-license.conf
-  USE_ALT="## consider installing alt-dnsrpzd-license.conf"
-fi
-cp $SRC_L $CUR_L
-
-# parse $CUR_L for the license zone name, primary IP addresses, and optional
-#   transfer-source IP addresses
-eval $(sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' \
-  -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \
-  -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \
-  -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \
-  -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \
-  -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
-  -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
-  $CUR_L)
-if [ -z "$NAME" ]; then
-  add_conf "## no DNSRPS tests; no license domain name in $SRC_L"
-  add_conf '#fail'
-  exit 0
-fi
-if [ -z "$IPV4" ]; then
-  IPV4=license1.fastrpz.com
-  TS4=
-fi
-if [ -z "$IPV6" ]; then
-  IPV6=license1.fastrpz.com
-  TS6=
-fi
-
-# This TSIG key is common and NOT a secret
-KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1'
-
-# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems
-if $($DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \
-  | grep -i "^$NAME.*TXT" >/dev/null); then
-  exit 0
-fi
-if $($DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \
-  | grep -i "^$NAME.*TXT" >/dev/null); then
-  exit 0
-fi
-
-add_conf "## DNSRPS lacks a valid license via $SRC_L"
-[ -z "$USE_ALT" ] || add_conf "$USE_ALT"
-add_conf '#fail'
--- a/bin/tests/system/isctest/mark.py
+++ b/bin/tests/system/isctest/mark.py
@@ -12,6 +12,7 @@
 # information regarding copyright ownership.

 import os
+from pathlib import Path
 import subprocess

 import pytest
@@ -33,6 +34,19 @@ def feature_test(feature):
    return True


+DNSRPS_BIN = Path(os.environ["TOP_BUILDDIR"]) / "bin/tests/system/rpz/dnsrps"
+
+
+def is_dnsrps_available():
+    if not feature_test("--enable-dnsrps"):
+        return False
+    try:
+        subprocess.run([DNSRPS_BIN, "-a"], check=True)
+    except subprocess.CalledProcessError:
+        return False
+    return True
+
+
 have_libxml2 = pytest.mark.skipif(
    not feature_test("--have-libxml2"), reason="libxml2 support disabled in the build"
 )
@@ -41,6 +55,10 @@ have_json_c = pytest.mark.skipif(
    not feature_test("--have-json-c"), reason="json-c support disabled in the build"
 )

+dnsrps_enabled = pytest.mark.skipif(
+    not is_dnsrps_available(), reason="dnsrps disabled in the build"
+)
+

 try:
    import flaky as flaky_pkg  # type: ignore
--- a/bin/tests/system/legacy.run.sh.in
+++ b/bin/tests/system/legacy.run.sh.in
@@ -87,7 +87,7 @@ if [ "${srcdir}" != "${builddir}" ]; then
    cp -a "${srcdir}/_common" "${builddir}"
  fi
  # Some tests require additional files to work for out-of-tree test runs.
-  for file in ckdnsrps.sh conftest.py digcomp.pl ditch.pl fromhex.pl get_core_dumps.sh kasp.sh packet.pl start.pl stop.pl testcrypto.sh; do
+  for file in conftest.py digcomp.pl ditch.pl fromhex.pl get_core_dumps.sh kasp.sh packet.pl start.pl stop.pl testcrypto.sh; do
    if [ ! -r "${file}" ]; then
      cp -a "${srcdir}/${file}" "${builddir}"
    fi
--- a/bin/tests/system/rpz/clean.sh
+++ b/bin/tests/system/rpz/clean.sh
@@ -11,29 +11,6 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.

-# Clean up after rpz tests.
-
-USAGE="$0: [-Px]"
-DEBUG=
-while getopts "Px" c; do
-  case $c in
-    x) set -x ;;
-    P) PARTIAL=set ;;
-    *)
-      echo "$USAGE" 1>&2
-      exit 1
-      ;;
-  esac
-done
-shift $((OPTIND - 1))
-if test "$#" -ne 0; then
-  echo "$USAGE" 1>&2
-  exit 1
-fi
-
-# this might be called from setup.sh to partially clean up the files
-# from the first test pass so the second pass can be set up correctly.
-# remove those files first, then decide whether to remove the others.
 rm -f ns*/*.key ns*/*.private
 rm -f ns2/tld2s.db */bl.tld2.db */bl.tld2s.db
 rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db
@@ -43,18 +20,15 @@ rm -f ns5/example.db ns5/bl.db ns5/fast-expire.db ns5/expire.conf
 rm -f ns8/manual-update-rpz.db
 rm -f */policy2.db
 rm -f */*.jnl
-
-if [ ${PARTIAL:-unset} = unset ]; then
-  rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
-  rm -f ns5/requests ns5/*.perf
-  rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key
-  rm -f */*.log */*core */*.pid
-  rm -f ns*/named.lock
-  rm -f ns*/named.conf
-  rm -f ns*/*switch
-  rm -f dnsrps*.conf
-  rm -f dnsrpzd.conf
-  rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid
-  rm -f ns*/managed-keys.bind*
-  rm -f tmp
-fi
+rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
+rm -f ns5/requests ns5/*.perf
+rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key
+rm -f */*.log */*core */*.pid
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f ns*/*switch
+rm -f dnsrps*.conf
+rm -f dnsrpzd.conf
+rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid
+rm -f ns*/managed-keys.bind*
+rm -f tmp
--- a/bin/tests/system/rpz/ns5/named.conf.in
+++ b/bin/tests/system/rpz/ns5/named.conf.in
@@ -35,7 +35,7 @@ options {
 	# turn rpz on or off
 	include "rpz-switch";

-	include "../dnsrps-secondary.conf";
+	include "../dnsrps.conf";
 };

 key rndc_key {
--- a/bin/tests/system/rpz/ns6/named.conf.in
+++ b/bin/tests/system/rpz/ns6/named.conf.in
@@ -36,7 +36,7 @@ options {
 	nsip-enable yes
 	nsdname-enable yes;

-	include "../dnsrps-secondary.conf";
+	include "../dnsrps.conf";
 };

 logging { category rpz { default_debug; }; };
--- a/bin/tests/system/rpz/ns7/named.conf.in
+++ b/bin/tests/system/rpz/ns7/named.conf.in
@@ -32,7 +32,7 @@ options {
 	nsdname-enable yes
 	min-update-interval 0;

-	include "../dnsrps-secondary.conf";
+	include "../dnsrps.conf";
 };

 logging { category rpz { default_debug; }; };
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -19,31 +19,7 @@ set -e

 QPERF=$($SHELL qperf.sh)

-USAGE="$0: [-DNx]"
-DEBUG=
-while getopts "DNx" c; do
-  case $c in
-    x)
-      set -x
-      DEBUG=-x
-      ;;
-    D) TEST_DNSRPS="-D" ;;
-    N) PARTIAL=-P ;;
-    *)
-      echo "$USAGE" 1>&2
-      exit 1
-      ;;
-  esac
-done
-shift $((OPTIND - 1))
-if test "$#" -ne 0; then
-  echo "$USAGE" 1>&2
-  exit 1
-fi
-
-if [ ${NOCLEAN:-unset} = unset ]; then
-  $SHELL clean.sh $PARTIAL $DEBUG
-fi
+$SHELL clean.sh

 for dir in ns*; do
  touch $dir/named.run
@@ -63,11 +39,8 @@ copy_setports ns10/named.conf.in ns10/named.conf

 copy_setports dnsrpzd.conf.in dnsrpzd.conf

-# decide whether to test DNSRPS
-# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf
-# and differ from dnsrpz.conf which is used by dnsrpzd.
-$SHELL ../ckdnsrps.sh -A $TEST_DNSRPS $DEBUG
-test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS=
+touch dnsrps.conf
+touch dnsrps.cache

 # set up test policy zones.
 #   bl is the main test zone
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
--- a/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py
+++ b/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py
@@ -0,0 +1,20 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import isctest.mark
+
+pytestmark = isctest.mark.dnsrps_enabled
+
+
+def test_rpz_dnsrps(run_tests_sh):
+    with open("dnsrps.conf", "w", encoding="utf-8") as conf:
+        conf.writelines(["dnsrps-enable yes;"])
+    run_tests_sh()
--- a/bin/tests/system/rpzrecurse/.gitignore
+++ b/bin/tests/system/rpzrecurse/.gitignore
@@ -5,7 +5,6 @@
 /ns3/named2.conf
 /ns4/named.conf
 /ans5/ans.pid
-/dnsrps-secondary.conf
 /dnsrps.conf
 /dnsrpzd.conf
 session.key
--- a/bin/tests/system/rpzrecurse/ns2/named.conf.header.in
+++ b/bin/tests/system/rpzrecurse/ns2/named.conf.header.in
@@ -27,7 +27,7 @@ options {
 	querylog yes;

 	# let ns3 start dnsrpzd
-	include "../dnsrps-secondary.conf";
+	include "../dnsrps.conf";
 };

 key rndc_key {
--- a/bin/tests/system/rpzrecurse/setup.sh
+++ b/bin/tests/system/rpzrecurse/setup.sh
@@ -17,29 +17,7 @@ set -e

 . ../conf.sh

-USAGE="$0: [-DNx]"
-DEBUG=
-while getopts "DNx" c; do
-  case $c in
-    x)
-      set -x
-      DEBUG=-x
-      ;;
-    D) TEST_DNSRPS="-D" ;;
-    N) NOCLEAN=set ;;
-    *)
-      echo "$USAGE" 1>&2
-      exit 1
-      ;;
-  esac
-done
-shift $((OPTIND - 1))
-if test "$#" -ne 0; then
-  echo "$USAGE" 1>&2
-  exit 1
-fi
-
-[ ${NOCLEAN:-unset} = unset ] && $SHELL clean.sh $DEBUG
+$SHELL clean.sh

 $PERL testgen.pl

@@ -52,6 +30,8 @@ copy_setports ns3/named1.conf.in ns3/named.conf

 copy_setports ns4/named.conf.in ns4/named.conf

+touch dnsrps.conf
+
 # setup policy zones for a 64-zone test
 i=1
 while test $i -le 64; do
@@ -68,10 +48,6 @@ while test $i -le 64; do
  i=$((i + 1))
 done

-# decide whether to test DNSRPS
-$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
-test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS=
-
 CWD=$(pwd)
 cat <<EOF >dnsrpzd.conf
 PID-FILE $CWD/dnsrpzd.pid;
--- a/bin/tests/system/rpzrecurse/tests.sh
+++ b/bin/tests/system/rpzrecurse/tests.sh
@@ -22,17 +22,16 @@ status=0

 t=0

-DEBUG=
 ARGS=
+if grep 'dnsrps-enable yes;' dnsrps.conf >/dev/null; then
+  MODE=dnsrps
+else
+  MODE=native
+fi

-USAGE="$0: [-xS]"
-while getopts "xS:" c; do
+USAGE="$0: [-S]"
+while getopts "S:" c; do
  case $c in
-    x)
-      set -x
-      DEBUG=-x
-      ARGS="$ARGS -x"
-      ;;
    S)
      SAVE_RESULTS=-S
      ARGS="$ARGS -S"
@@ -118,452 +117,397 @@ add_test_marker() {
  done
 }

-native=0
-dnsrps=0
-for mode in native dnsrps; do
-  status=0
-  case $mode in
-    native)
-      if [ -e dnsrps-only ]; then
-        echo_i "'dnsrps-only' found: skipping native RPZ sub-test"
-        continue
-      else
-        echo_i "running native RPZ sub-test"
-      fi
-      ;;
-    dnsrps)
-      if [ -e dnsrps-off ]; then
-        echo_i "'dnsrps-off' found: skipping DNSRPS sub-test"
-        continue
-      fi
-      echo_i "attempting to configure servers with DNSRPS..."
-      stop_server --use-rndc --port ${CONTROLPORT}
-      $SHELL ./setup.sh -N -D $DEBUG
-      sed -n 's/^## //p' dnsrps.conf | cat_i
-      if grep '^#fail' dnsrps.conf >/dev/null; then
-        echo_i "exit status: 1"
-        exit 1
-      fi
-      if grep '^#skip' dnsrps.conf >/dev/null; then
-        echo_i "DNSRPS sub-test skipped"
-        continue
-      else
-        echo_i "running DNSRPS sub-test"
-        start_server --noclean --restart --port ${PORT}
-        sleep 3
-      fi
-      ;;
-  esac
+t=$((t + 1))
+echo_i "testing that l1.l0 exists without RPZ (${t})"
+add_test_marker 10.53.0.2
+$DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
+grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
+  echo_i "test ${t} failed"
+  status=1
+}

-  # show whether and why DNSRPS is enabled or disabled
-  sed -n 's/^## //p' dnsrps.conf | cat_i
+t=$((t + 1))
+echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
+add_test_marker 10.53.0.2
+$DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
+grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || {
+  echo_i "test ${t} failed"
+  status=1
+}

-  t=$((t + 1))
-  echo_i "testing that l1.l0 exists without RPZ (${t})"
-  add_test_marker 10.53.0.2
-  $DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
-  grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
-    echo_i "test ${t} failed"
-    status=1
-  }
+# Group 1
+run_server 1a
+expect_norecurse 1a 1
+run_server 1b
+expect_norecurse 1b 1
+expect_recurse 1b 2
+run_server 1c
+expect_norecurse 1c 1

-  t=$((t + 1))
-  echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
-  add_test_marker 10.53.0.2
-  $DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t}
-  grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-
-  # Group 1
-  run_server 1a
-  expect_norecurse 1a 1
-  run_server 1b
-  expect_norecurse 1b 1
-  expect_recurse 1b 2
-  run_server 1c
-  expect_norecurse 1c 1
-
-  # Group 2
-  run_server 2a
-  for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
-    21 22 23 24 25 26 27 28 29 30 31 32; do
-    expect_norecurse 2a $n
-  done
-  expect_recurse 2a 33
-
-  # Group 3
-  run_server 3a
-  expect_recurse 3a 1
-  run_server 3b
-  expect_recurse 3b 1
-  run_server 3c
-  expect_recurse 3c 1
-  run_server 3d
-  expect_norecurse 3d 1
-  expect_recurse 3d 2
-  run_server 3e
-  expect_norecurse 3e 1
-  expect_recurse 3e 2
-  run_server 3f
-  expect_norecurse 3f 1
-  expect_recurse 3f 2
-
-  # Group 4
-  testlist="aa ap bf"
-  values="1 16 32"
-  # Uncomment the following to test every skip value instead of
-  # only a sample of values
-  #
-  #testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \
-  #          aq ar as at au av aw ax ay az ba bb bc bd be bf"
-  #values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
-  #        21 22 23 24 25 26 27 28 29 30 31 32"
-  set -- $values
-  for n in $testlist; do
-    run_server 4$n
-    ni=$1
-    t=$((t + 1))
-    echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
-    add_test_marker 10.53.0.2
-    c=0
-    for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \
-      17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do
-      run_query 4$n $i || c=$((c + 1))
-    done
-    skipped=$((33 - c))
-    if [ $skipped != $ni ]; then
-      echo_i "test $t failed (actual=$skipped, expected=$ni)"
-      status=1
-    fi
-    shift
-  done
-
-  # Group 5
-  run_server 5a
-  expect_norecurse 5a 1
-  expect_norecurse 5a 2
-  expect_recurse 5a 3
-  expect_recurse 5a 4
-  expect_recurse 5a 5
-  expect_recurse 5a 6
-
-  # Group 6
-  echo_i "check recursive behavior consistency during policy update races"
-  run_server 6a
-  sleep 1
-  t=$((t + 1))
-  echo_i "running dig to cache CNAME record (${t})"
-  add_test_marker 10.53.0.1 10.53.0.2
-  $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
-  sleep 1
-  echo_i "suspending authority server"
-  PID=$(cat ns1/named.pid)
-  kill -STOP $PID
-  echo_i "adding an NSDNAME policy"
-  cp ns2/db.6a.00.policy.local ns2/saved.policy.local
-  cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
-  $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
-  test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
-  sleep 1
-  t=$((t + 1))
-  echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
-  add_test_marker 10.53.0.2
-  $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
-  sleep 1
-  echo_i "removing the NSDNAME policy"
-  cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local
-  $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
-  test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
-  sleep 1
-  echo_i "resuming authority server"
-  PID=$(cat ns1/named.pid)
-  kill -CONT $PID
-  add_test_marker 10.53.0.1
-  for n in 1 2 3 4 5 6 7 8 9; do
-    sleep 1
-    [ -s dig.out.${t} ] || continue
-    grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
-  done
-  grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-
-  echo_i "check recursive behavior consistency during policy removal races"
-  cp ns2/saved.policy.local ns2/db.6a.00.policy.local
-  run_server 6a
-  sleep 1
-  t=$((t + 1))
-  echo_i "running dig to cache CNAME record (${t})"
-  add_test_marker 10.53.0.1 10.53.0.2
-  $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
-  sleep 1
-  echo_i "suspending authority server"
-  PID=$(cat ns1/named.pid)
-  kill -STOP $PID
-  echo_i "adding an NSDNAME policy"
-  cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
-  $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
-  test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
-  sleep 1
-  t=$((t + 1))
-  echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
-  add_test_marker 10.53.0.2
-  $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
-  sleep 1
-  echo_i "removing the policy zone"
-  cp ns2/named.default.conf ns2/named.conf
-  rndc_reconfig ns2 10.53.0.2
-  test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
-  sleep 1
-  echo_i "resuming authority server"
-  PID=$(cat ns1/named.pid)
-  kill -CONT $PID
-  add_test_marker 10.53.0.1
-  for n in 1 2 3 4 5 6 7 8 9; do
-    sleep 1
-    [ -s dig.out.${t} ] || continue
-    grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
-  done
-  grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-
-  # Check maximum number of RPZ zones (64)
-  t=$((t + 1))
-  echo_i "testing maximum number of RPZ zones (${t})"
-  add_test_marker 10.53.0.2
-  run_server max
-  i=1
-  while test $i -le 64; do
-    $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i}
-    grep "^name$i.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || {
-      echo_i "test $t failed: didn't get expected answer from policy zone $i"
-      status=1
-    }
-    i=$((i + 1))
-  done
-
-  # Check CLIENT-IP behavior
-  t=$((t + 1))
-  echo_i "testing CLIENT-IP behavior (${t})"
-  add_test_marker 10.53.0.2
-  run_server clientip
-  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
-  grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
-    echo_i "test $t failed: query failed"
-    status=1
-  }
-  grep "^l2.l1.l0.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || {
-    echo_i "test $t failed: didn't get expected answer"
-    status=1
-  }
-
-  # Check CLIENT-IP behavior #2
-  t=$((t + 1))
-  echo_i "testing CLIENT-IP behavior #2 (${t})"
-  add_test_marker 10.53.0.2
-  run_server clientip2
-  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1
-  grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || {
-    echo_i "test $t failed: query failed"
-    status=1
-  }
-  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2
-  grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || {
-    echo_i "test $t failed: query failed"
-    status=1
-  }
-  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3
-  grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || {
-    echo_i "test $t failed: query failed"
-    status=1
-  }
-  grep "^l2.l1.l0.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || {
-    echo_i "test $t failed: didn't get expected answer"
-    status=1
-  }
-  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4
-  grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || {
-    echo_i "test $t failed: query failed"
-    status=1
-  }
-
-  # Check RPZ log clause
-  t=$((t + 1))
-  echo_i "testing RPZ log clause (${t})"
-  add_test_marker 10.53.0.2
-  run_server log
-  cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run)
-  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
-  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t}
-  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t}
-  sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" >/dev/null && {
-    echo_ic "failed: unexpected rewrite message for policy zone log1 was logged"
-    status=1
-  }
-  sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" >/dev/null || {
-    echo_ic "failed: expected rewrite message for policy zone log2 was not logged"
-    status=1
-  }
-  sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" >/dev/null || {
-    echo_ic "failed: expected rewrite message for policy zone log3 was not logged"
-    status=1
-  }
-
-  # Check wildcard behavior
-
-  t=$((t + 1))
-  echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
-  add_test_marker 10.53.0.2
-  run_server wildcard1
-  $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
-  grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-  $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
-  grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-
-  t=$((t + 1))
-  echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
-  add_test_marker 10.53.0.2
-  run_server wildcard2
-  $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
-  grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-  $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
-  grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-
-  t=$((t + 1))
-  echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
-  add_test_marker 10.53.0.2
-  run_server wildcard3
-  $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
-  grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-  $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
-  grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-
-  t=$((t + 1))
-  echo_i "testing wildcard passthru before explicit drop (${t})"
-  add_test_marker 10.53.0.2
-  run_server wildcard4
-  $DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
-  grep "status: NOERROR" dig.out.${t}.1 >/dev/null || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-  $DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
-  grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
-    echo_i "test ${t} failed"
-    status=1
-  }
-
-  if [ "$mode" = "native" ]; then
-    # Check for invalid prefix length error
-    t=$((t + 1))
-    echo_i "testing for invalid prefix length error (${t})"
-    add_test_marker 10.53.0.2
-    run_server invalidprefixlength
-    grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || {
-      echo_ic "failed: expected that invalid prefix length error would be logged"
-      status=1
-    }
-  fi
-
-  t=$((t + 1))
-  echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
-  add_test_marker 10.53.0.2 10.53.0.3
-  echo_i "timing 'nsip-wait-recurse yes' (default)"
-  ret=0
-  t1=$($PERL -e 'print time()."\n";')
-  $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
-  t2=$($PERL -e 'print time()."\n";')
-  p1=$((t2 - t1))
-  echo_i "elapsed time $p1 seconds"
-
-  $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
-  copy_setports ns3/named2.conf.in ns3/named.conf
-  nextpart ns3/named.run >/dev/null
-  $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
-  wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
-
-  echo_i "timing 'nsip-wait-recurse no'"
-  t3=$($PERL -e 'print time()."\n";')
-  $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
-  t4=$($PERL -e 'print time()."\n";')
-  p2=$((t4 - t3))
-  echo_i "elapsed time $p2 seconds"
-
-  if test $p1 -le $p2; then ret=1; fi
-  if test $ret != 0; then echo_i "failed"; fi
-  status=$((status + ret))
-
-  $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
-  # restore original named.conf
-  copy_setports ns3/named1.conf.in ns3/named.conf
-  nextpart ns3/named.run >/dev/null
-  $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
-  wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
-
-  t=$((t + 1))
-  echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
-  add_test_marker 10.53.0.2 10.53.0.3
-  echo_i "timing 'nsdname-wait-recurse yes' (default)"
-  ret=0
-  t1=$($PERL -e 'print time()."\n";')
-  $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
-  t2=$($PERL -e 'print time()."\n";')
-  p1=$((t2 - t1))
-  echo_i "elapsed time $p1 seconds"
-
-  $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
-  copy_setports ns3/named3.conf.in ns3/named.conf
-  nextpart ns3/named.run >/dev/null
-  $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
-  wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
-
-  echo_i "timing 'nsdname-wait-recurse no'"
-  t3=$($PERL -e 'print time()."\n";')
-  $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
-  t4=$($PERL -e 'print time()."\n";')
-  p2=$((t4 - t3))
-  echo_i "elapsed time $p2 seconds"
-
-  if test $p1 -le $p2; then ret=1; fi
-  if test $ret != 0; then echo_i "failed"; fi
-  status=$((status + ret))
-
-  [ $status -ne 0 ] && pf=fail || pf=pass
-  case $mode in
-    native)
-      native=$status
-      echo_i "status (native RPZ sub-test): $status ($pf)"
-      ;;
-    dnsrps)
-      dnsrps=$status
-      echo_i "status (DNSRPS sub-test): $status ($pf)"
-      ;;
-    *) echo_i "invalid test mode" ;;
-  esac
+# Group 2
+run_server 2a
+for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
+  21 22 23 24 25 26 27 28 29 30 31 32; do
+  expect_norecurse 2a $n
 done
-status=$((native + dnsrps))
+expect_recurse 2a 33
+
+# Group 3
+run_server 3a
+expect_recurse 3a 1
+run_server 3b
+expect_recurse 3b 1
+run_server 3c
+expect_recurse 3c 1
+run_server 3d
+expect_norecurse 3d 1
+expect_recurse 3d 2
+run_server 3e
+expect_norecurse 3e 1
+expect_recurse 3e 2
+run_server 3f
+expect_norecurse 3f 1
+expect_recurse 3f 2
+
+# Group 4
+testlist="aa ap bf"
+values="1 16 32"
+# Uncomment the following to test every skip value instead of
+# only a sample of values
+#
+#testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \
+#          aq ar as at au av aw ax ay az ba bb bc bd be bf"
+#values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
+#        21 22 23 24 25 26 27 28 29 30 31 32"
+set -- $values
+for n in $testlist; do
+  run_server 4$n
+  ni=$1
+  t=$((t + 1))
+  echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
+  add_test_marker 10.53.0.2
+  c=0
+  for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \
+    17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do
+    run_query 4$n $i || c=$((c + 1))
+  done
+  skipped=$((33 - c))
+  if [ $skipped != $ni ]; then
+    echo_i "test $t failed (actual=$skipped, expected=$ni)"
+    status=1
+  fi
+  shift
+done
+
+# Group 5
+run_server 5a
+expect_norecurse 5a 1
+expect_norecurse 5a 2
+expect_recurse 5a 3
+expect_recurse 5a 4
+expect_recurse 5a 5
+expect_recurse 5a 6
+
+# Group 6
+echo_i "check recursive behavior consistency during policy update races"
+run_server 6a
+sleep 1
+t=$((t + 1))
+echo_i "running dig to cache CNAME record (${t})"
+add_test_marker 10.53.0.1 10.53.0.2
+$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
+sleep 1
+echo_i "suspending authority server"
+PID=$(cat ns1/named.pid)
+kill -STOP $PID
+echo_i "adding an NSDNAME policy"
+cp ns2/db.6a.00.policy.local ns2/saved.policy.local
+cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
+$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
+test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
+sleep 1
+t=$((t + 1))
+echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
+add_test_marker 10.53.0.2
+$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
+sleep 1
+echo_i "removing the NSDNAME policy"
+cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local
+$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
+test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
+sleep 1
+echo_i "resuming authority server"
+PID=$(cat ns1/named.pid)
+kill -CONT $PID
+add_test_marker 10.53.0.1
+for n in 1 2 3 4 5 6 7 8 9; do
+  sleep 1
+  [ -s dig.out.${t} ] || continue
+  grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
+done
+grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
+  echo_i "test ${t} failed"
+  status=1
+}
+
+echo_i "check recursive behavior consistency during policy removal races"
+cp ns2/saved.policy.local ns2/db.6a.00.policy.local
+run_server 6a
+sleep 1
+t=$((t + 1))
+echo_i "running dig to cache CNAME record (${t})"
+add_test_marker 10.53.0.1 10.53.0.2
+$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t}
+sleep 1
+echo_i "suspending authority server"
+PID=$(cat ns1/named.pid)
+kill -STOP $PID
+echo_i "adding an NSDNAME policy"
+cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
+$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
+test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
+sleep 1
+t=$((t + 1))
+echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
+add_test_marker 10.53.0.2
+$DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} &
+sleep 1
+echo_i "removing the policy zone"
+cp ns2/named.default.conf ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true
+sleep 1
+echo_i "resuming authority server"
+PID=$(cat ns1/named.pid)
+kill -CONT $PID
+add_test_marker 10.53.0.1
+for n in 1 2 3 4 5 6 7 8 9; do
+  sleep 1
+  [ -s dig.out.${t} ] || continue
+  grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break
+done
+grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
+  echo_i "test ${t} failed"
+  status=1
+}
+
+# Check maximum number of RPZ zones (64)
+t=$((t + 1))
+echo_i "testing maximum number of RPZ zones (${t})"
+add_test_marker 10.53.0.2
+run_server max
+i=1
+while test $i -le 64; do
+  $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i}
+  grep "^name$i.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || {
+    echo_i "test $t failed: didn't get expected answer from policy zone $i"
+    status=1
+  }
+  i=$((i + 1))
+done
+
+# Check CLIENT-IP behavior
+t=$((t + 1))
+echo_i "testing CLIENT-IP behavior (${t})"
+add_test_marker 10.53.0.2
+run_server clientip
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
+grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
+  echo_i "test $t failed: query failed"
+  status=1
+}
+grep "^l2.l1.l0.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || {
+  echo_i "test $t failed: didn't get expected answer"
+  status=1
+}
+
+# Check CLIENT-IP behavior #2
+t=$((t + 1))
+echo_i "testing CLIENT-IP behavior #2 (${t})"
+add_test_marker 10.53.0.2
+run_server clientip2
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1
+grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || {
+  echo_i "test $t failed: query failed"
+  status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || {
+  echo_i "test $t failed: query failed"
+  status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3
+grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || {
+  echo_i "test $t failed: query failed"
+  status=1
+}
+grep "^l2.l1.l0.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || {
+  echo_i "test $t failed: didn't get expected answer"
+  status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4
+grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || {
+  echo_i "test $t failed: query failed"
+  status=1
+}
+
+# Check RPZ log clause
+t=$((t + 1))
+echo_i "testing RPZ log clause (${t})"
+add_test_marker 10.53.0.2
+run_server log
+cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run)
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t}
+sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" >/dev/null && {
+  echo_ic "failed: unexpected rewrite message for policy zone log1 was logged"
+  status=1
+}
+sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" >/dev/null || {
+  echo_ic "failed: expected rewrite message for policy zone log2 was not logged"
+  status=1
+}
+sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" >/dev/null || {
+  echo_ic "failed: expected rewrite message for policy zone log3 was not logged"
+  status=1
+}
+
+# Check wildcard behavior
+
+t=$((t + 1))
+echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
+add_test_marker 10.53.0.2
+run_server wildcard1
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
+  echo_i "test ${t} failed"
+  status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
+  echo_i "test ${t} failed"
+  status=1
+}
+
+t=$((t + 1))
+echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
+add_test_marker 10.53.0.2
+run_server wildcard2
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
+  echo_i "test ${t} failed"
+  status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || {
+  echo_i "test ${t} failed"
+  status=1
+}
+
+t=$((t + 1))
+echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
+add_test_marker 10.53.0.2
+run_server wildcard3
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || {
+  echo_i "test ${t} failed"
+  status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
+grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
+  echo_i "test ${t} failed"
+  status=1
+}
+
+t=$((t + 1))
+echo_i "testing wildcard passthru before explicit drop (${t})"
+add_test_marker 10.53.0.2
+run_server wildcard4
+$DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1
+grep "status: NOERROR" dig.out.${t}.1 >/dev/null || {
+  echo_i "test ${t} failed"
+  status=1
+}
+$DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2
+grep "status: NOERROR" dig.out.${t}.2 >/dev/null || {
+  echo_i "test ${t} failed"
+  status=1
+}
+
+if [ "$MODE" = "native" ]; then
+  # Check for invalid prefix length error
+  t=$((t + 1))
+  echo_i "testing for invalid prefix length error (${t})"
+  add_test_marker 10.53.0.2
+  run_server invalidprefixlength
+  grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || {
+    echo_ic "failed: expected that invalid prefix length error would be logged"
+    status=1
+  }
+fi
+
+t=$((t + 1))
+echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
+add_test_marker 10.53.0.2 10.53.0.3
+echo_i "timing 'nsip-wait-recurse yes' (default)"
+ret=0
+t1=$($PERL -e 'print time()."\n";')
+$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
+t2=$($PERL -e 'print time()."\n";')
+p1=$((t2 - t1))
+echo_i "elapsed time $p1 seconds"
+
+$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
+copy_setports ns3/named2.conf.in ns3/named.conf
+nextpart ns3/named.run >/dev/null
+$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
+wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
+
+echo_i "timing 'nsip-wait-recurse no'"
+t3=$($PERL -e 'print time()."\n";')
+$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
+t4=$($PERL -e 'print time()."\n";')
+p2=$((t4 - t3))
+echo_i "elapsed time $p2 seconds"
+
+if test $p1 -le $p2; then ret=1; fi
+if test $ret != 0; then echo_i "failed"; fi
+status=$((status + ret))
+
+$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
+# restore original named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
+nextpart ns3/named.run >/dev/null
+$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
+wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
+
+t=$((t + 1))
+echo_i "checking 'nsdname-wait-recurse no' is faster than 'nsdname-wait-recurse yes' ($t)"
+add_test_marker 10.53.0.2 10.53.0.3
+echo_i "timing 'nsdname-wait-recurse yes' (default)"
+ret=0
+t1=$($PERL -e 'print time()."\n";')
+$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t
+t2=$($PERL -e 'print time()."\n";')
+p1=$((t2 - t1))
+echo_i "elapsed time $p1 seconds"
+
+$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
+copy_setports ns3/named3.conf.in ns3/named.conf
+nextpart ns3/named.run >/dev/null
+$RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null
+wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
+
+echo_i "timing 'nsdname-wait-recurse no'"
+t3=$($PERL -e 'print time()."\n";')
+$DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t
+t4=$($PERL -e 'print time()."\n";')
+p2=$((t4 - t3))
+echo_i "elapsed time $p2 seconds"
+
+if test $p1 -le $p2; then ret=1; fi
+if test $ret != 0; then echo_i "failed"; fi
+status=$((status + ret))

 [ $status -eq 0 ] || exit 1
--- a/bin/tests/system/rpzrecurse/tests_sh_rpzrecurse_dnsrps.py
+++ b/bin/tests/system/rpzrecurse/tests_sh_rpzrecurse_dnsrps.py
@@ -0,0 +1,20 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import isctest.mark
+
+pytestmark = isctest.mark.dnsrps_enabled
+
+
+def test_rpzrecurse_dnsrps(run_tests_sh):
+    with open("dnsrps.conf", "w", encoding="utf-8") as conf:
+        conf.writelines(["dnsrps-enable yes;"])
+    run_tests_sh()