For rt26172:

Add
      - optional "recursive-only yes|no" to the response-policy statement
      - optional max-policy-ttl to limit the lies that "recursive-only no"
          can introduce into resolvers' caches
      - test that queries with RD=0 are not rewritten by default
      - performance smoke test

    Change encoding of PASSTHRU action to "rpz-passthru".
          (The old encoding is still accepted.)
    Fix rt26180  assert botch in zone_findrdataset() in this branch
         as well.

    Fix missing signatures on NOERROR results despite RPZ hits
        when there are signatures and the client asks for DNSSEC,

bin/tests/system/rpz/clean.sh

@@ -17,8 +17,8 @@
 
 # Clean up after rpz tests.
 
-rm -f proto.* dig.out* nsupdate.tmp
-rm -f  */named.memstats */named.run */named.rpz */session.key
-rm -f ns3/bl*.db */*.jnl */*.core */*.pid
-rm -f ns2/signed-tld2.db
-rm -f ns2/K*.private ns2/K*.key dsset-*
+rm -f proto.*  dsset-* random.data trusted.conf dig.out* nsupdate.tmp ns*/*tmp
+rm -f ns*/*.key ns*/*.private ns2/tld2s.db
+rm -f ns3/bl*.db ns*/*switch ns5/requests ns5/example.db ns5/bl.db ns5/*.perf
+rm -f */named.memstats */named.run */named.rpz */session.key
+rm -f */*.jnl */*.core */*.pid

bin/tests/system/rpz/ns1/root.db

@@ -23,12 +23,9 @@ ns.		A	10.53.0.1
 ; rewrite responses from this zone
 tld2.		NS	ns.tld2.
 ns.tld2.	A	10.53.0.2
-ns2.tld2.	A	10.53.0.2
 
-; rewrite responses from this zone unless dnssec requested
-signed-tld2.		NS	ns.signed-tld2.
-ns.signed-tld2.		A	10.53.0.2
-ns2.signed-tld2.	A	10.53.0.2
+; rewrite responses from this secure zone unless dnssec requested (DO=1)
+tld2s.		NS	ns.tld2.
 
 ; requests come from here
 tld3.		NS	ns.tld3.
@@ -37,4 +34,3 @@ ns.tld3.	A	10.53.0.3
 ; rewrite responses from this zone
 tld4.		NS	ns.tld4.
 ns.tld4.	A	10.53.0.4
-ns2.tld4.	A	10.53.0.4

bin/tests/system/rpz/ns2/base-tld2s.db

@@ -0,0 +1,31 @@
+; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: base-tld2s.db,v 1.1.2.1 2012/02/24 17:22:37 vjs Exp $
+
+
+; RPZ rewrite responses from this signed zone
+
+$TTL	120
+@		SOA	tld2s.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+		NS	ns
+		NS	.			; check for RT 24985
+ns		A	10.53.0.2
+
+
+a0-1		A	192.168.0.1
+a0-1-scname	CNAME	a0-1.tld2.
+
+a3-5		A	192.168.3.5
+

bin/tests/system/rpz/ns2/named.conf

@@ -31,6 +31,7 @@ options {
 	notify no;
 };
 
+include "../trusted.conf";
 zone "." { type hint; file "hints"; };
 
 zone "tld2."		    {type master; file "tld2.db";};
@@ -40,4 +41,5 @@ zone "sub2.tld2."	    {type master; file "tld2.db";};
 zone "subsub.sub2.tld2."    {type master; file "tld2.db";};
 zone "sub3.tld2."	    {type master; file "tld2.db";};
 zone "subsub.sub3.tld2."    {type master; file "tld2.db";};
-zone "signed-tld2."	    {type master; file "signed-tld2.db";};
+
+zone "tld2s."		    {type master; file "tld2s.db";};

bin/tests/system/rpz/ns2/tld2.db

@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: tld2.db,v 1.4 2011/10/13 01:32:33 vjs Exp $
+; $Id: tld2.db,v 1.4.4.2 2012/02/24 17:22:37 vjs Exp $
 
 
 ; RPZ rewrite responses from this zone
@@ -20,10 +20,8 @@
 $TTL	120
 @		SOA	tld2.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
 		NS	ns
-		NS	ns2
 		NS	.			; check for RT 24985
 ns		A	10.53.0.2
-ns2		A	10.53.0.2
 
 
 txt-only	TXT	"txt-only-tld2"
@@ -36,6 +34,8 @@ a12-cname	CNAME	a12
 a0-1		A	192.168.0.1
 		AAAA	2001:2::1
 		TXT	"a0-1 tld2 text"
+a0-1-scname	CNAME	a0-1.tld2s.
+
 
 a3-1		A	192.168.3.1
 		AAAA	2001:2:3::1
@@ -115,3 +115,8 @@ a5-3		A	192.168.5.3
 
 a5-4		A	192.168.5.4
 		TXT	"a5-4 tld2 text"
+
+a6-1		A	192.168.6.1
+		TXT	"a6-1 tld2 text"
+a6-2		A	192.168.6.2
+		TXT	"a6-2 tld2 text"

bin/tests/system/rpz/ns3/base.db

@@ -12,14 +12,17 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: base.db,v 1.6 2011/10/13 01:32:33 vjs Exp $
+; $Id: base.db,v 1.6.4.1 2011/10/15 23:03:38 vjs Exp $
 
 
 ; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
 
 $TTL	120
 @	SOA	blx.  hostmaster.ns.blx. ( 1 3600 1200 604800 60 )
-	NS	ns.tld.
+	NS	ns
 ns	A	10.53.0.3
 
 ; Poke the radix tree a little.
@@ -34,6 +37,6 @@ ns	A	10.53.0.3
 
 
 ; regression testing for some old crashes
-redirect	IN      A       127.0.0.1
-*.redirect	IN      A       127.0.0.1
-*.credirect	IN      CNAME   google.com.
+redirect	A       127.0.0.1
+*.redirect	A       127.0.0.1
+*.credirect	CNAME   google.com.

bin/tests/system/rpz/ns3/crash2

@@ -21,8 +21,8 @@ $TTL	120
 	NS	ns
 ns	A	10.53.0.3
 
-; #18 in test1, crashed new ASSERT() in rbtdb.c
-c1	A	172.16.1.1
+; #24 in test1, crashed new ASSERT() in rbtdb.c
+c1	A	172.16.1.24
 
 ; #16 in test2, crashed new ASSERT() in rbtdb.c
 c2	A	172.16.1.16

bin/tests/system/rpz/ns3/named.conf

@@ -17,6 +17,10 @@
 /* $Id: named.conf,v 1.5 2011/10/28 11:46:50 marka Exp $ */
 
 
+/*
+ * Main rpz test DNS server.
+ */
+
 options {
 	query-source address 10.53.0.3;
 	notify-source 10.53.0.3;
@@ -29,13 +33,13 @@ options {
 	notify no;
 
 	response-policy {
-	    zone "bl";
+	    zone "bl"					max-policy-ttl 100;
 	    zone "bl-2";
-	    zone "bl-given"	policy given;
+	    zone "bl-given"	policy given		recursive-only yes;
 	    zone "bl-passthru"	policy passthru;
-	    zone "bl-no-op"	policy no-op;	    # obsolete for passthru
+	    zone "bl-no-op"	policy no-op;		# obsolete for passthru
 	    zone "bl-disabled"	policy disabled;
-	    zone "bl-nodata"	policy nodata;
+	    zone "bl-nodata"	policy nodata		recursive-only no;
 	    zone "bl-nxdomain"	policy nxdomain;
 	    zone "bl-cname"	policy cname txt-only.tld2.;
 	    zone "bl-wildcname"	policy cname *.tld4.;
@@ -63,6 +67,7 @@ logging {
 };
 
 
+// include "../trusted.conf";
 zone "." { type hint; file "hints"; };
 
 zone "bl."		{type master; file "bl.db";

bin/tests/system/rpz/ns4/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2 2011/10/13 04:53:06 marka Exp $ */
+/* $Id: named.conf,v 1.2.6.1 2012/02/24 17:22:37 vjs Exp $ */
 
 controls { /* empty */ };
 
@@ -30,6 +30,7 @@ options {
 	notify no;
 };
 
+include "../trusted.conf";
 zone "." { type hint; file "hints"; };
 
 zone "tld4."		    {type master; file "tld4.db";};

bin/tests/system/rpz/ns4/tld4.db

@@ -12,16 +12,14 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: tld4.db,v 1.2 2011/10/13 04:53:07 marka Exp $
+; $Id: tld4.db,v 1.2.6.1 2012/02/24 17:22:37 vjs Exp $
 
 ; RPZ rewrite responses from this zone
 
 $TTL	120
 @		SOA	tld4.  hostmaster.ns.tld4. ( 1 3600 1200 604800 60 )
 		NS	ns
-		NS	ns2
 ns		A	10.53.0.4
-ns2		A	10.53.0.4
 
 
 txt-only	TXT	"txt-only-tld4"

bin/tests/system/rpz/ns5/hints

@@ -0,0 +1,19 @@
+; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.1.2.1 2011/10/15 23:00:04 vjs Exp $
+
+
+.	0	NS	ns1.
+ns1.	0	A	10.53.0.1

bin/tests/system/rpz/ns5/named.conf

@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.1.2.2 2012/02/24 17:22:38 vjs Exp $ */
+
+
+/*
+ * Test rpz performance.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	notify no;
+
+	# Eventually turn rpz on.
+	include "rpz-switch";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+controls { inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; };
+
+
+include "../trusted.conf";
+zone "."		{type hint; file "hints"; };
+
+zone "example.com."	{type master; file "example.db"; };
+
+zone "bl."		{type master; file "bl.db"; };

bin/tests/system/rpz/qperf.sh

@@ -0,0 +1,27 @@
+#! /bin/sh
+#
+# Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: qperf.sh,v 1.1.2.1 2011/10/15 23:03:37 vjs Exp $
+
+for QDIR in `echo "$PATH" | tr : ' '` ../../../../contrib/queryperf; do
+    QPERF=$QDIR/queryperf
+    if test -f $QPERF -a -x $QPERF; then
+	echo $QPERF
+	exit 0
+    fi
+done
+
+exit 0

bin/tests/system/rpz/rpz.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rpz.c,v 1.3 2011/01/13 04:59:24 tbox Exp $ */
+/* $Id: rpz.c,v 1.3.226.1 2011/10/15 23:03:37 vjs Exp $ */
 
 #include <config.h>
 
@@ -39,7 +39,7 @@ main(int argc, char **argv)
 #else
 		return (1);
 #endif
-	    }
+	}
 
 	if (!strcasecmp(argv[1], "nsdname")) {
 #ifdef ENABLE_RPZ_NSDNAME
@@ -47,8 +47,8 @@ main(int argc, char **argv)
 #else
 		return (1);
 #endif
-	    }
+	}
 
-	    fputs(USAGE, stderr);
-	    return (1);
+	fputs(USAGE, stderr);
+	return (1);
 }

bin/tests/system/rpz/setup.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#! /bin/sh
 #
 # Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
@@ -16,16 +16,100 @@
 
 # $Id: setup.sh,v 1.6 2012/01/07 23:46:53 tbox Exp $
 
+set -e
+
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
-. ./clean.sh
 
-#  NO-OP is an obsolete synonym for PASSHTRU
+QPERF=`sh qperf.sh`
+
+sh clean.sh
+
+# set up test policy zones.  bl-2 is used to check competing zones.
+#	bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden}
+#	are used to check policy overrides in named.conf.
+#	NO-OP is an obsolete synonym for PASSHTRU
 for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden; do
     sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db
 done
 
+# sign the root and a zone in ns2
 ../../../tools/genrandom 400 random.data
-$KEYGEN -Kns2 -q -r random.data -3 signed-tld2. > /dev/null 2>&1
-$KEYGEN -Kns2 -q -r random.data -3fk signed-tld2. > /dev/null 2>&1
-$SIGNER -S -Kns2 -o signed-tld2. -f ns2/signed-tld2.db ns2/tld2.db > /dev/null 2>&1
+
+# $1=directory, $2=domain name, $3=input zone file, $4=output file
+signzone () {
+    KEYNAME=`$KEYGEN -q -r random.data -b 512 -K $1 $2`
+    cat $1/$3 $1/$KEYNAME.key > $1/tmp
+    $SIGNER -Pp -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
+    sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trusted-keys {"\1" \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
+    rm dsset-$2 $1/tmp
+}
+signzone ns2 tld2s. base-tld2s.db tld2s.db
+
+
+# Performance checks.
+# First with rpz off.
+cat <<EOF >ns5/rpz-switch
+response-policy {zone "bl";}
+    recursive-only no
+    max-policy-ttl 90
+    break-dnssec yes;
+EOF
+
+cat <<EOF >ns5/example.db
+\$TTL	120
+@	SOA	.  hostmaster.ns.example. ( 1 3600 1200 604800 60 )
+	NS	ns
+ns	A	10.53.0.5
+EOF
+
+cat <<EOF >ns5/bl.db
+\$TTL	120
+@		SOA	.  hostmaster.ns.blperf. ( 1 3600 1200 604800 60 )
+		NS	ns
+ns		A	10.53.0.5
+
+; used only in failure for "recursive-only no" in #8 test5
+a3-5.tld2	CNAME	*.
+; for "break-dnssec" in #9 test5
+a3-5.tld2s	CNAME	*.
+; for "max-policy-ttl 90" in test5
+a3-17.tld2	500 A	17.17.17.17
+
+; dummy NSDNAME policies to trigger lookups
+ns-1.example.com.rpz-nsdname	CNAME	.
+ns-2.example.com.rpz-nsdname	CNAME	.
+ns-3.example.com.rpz-nsdname	CNAME	.
+ns-4.example.com.rpz-nsdname	CNAME	.
+ns-5.example.com.rpz-nsdname	CNAME	.
+EOF
+
+if test -n "$QPERF"; then
+    # do not build the full zones if we will not use them to avoid the long
+    # time otherwise required to shut down the server
+    $PERL -e 'for ($val = 1; $val <= 65535; ++$val) {
+	printf("host-%d-%d\tA    192.168.%d.%d\n",
+		$val/256, $val%256, $val/256, $val%256);
+	}' >>ns5/example.db
+
+    echo >>ns5/bl.db
+    echo "; rewrite some names" >>ns5/bl.db
+    $PERL -e 'for ($val = 2; $val <= 65535; $val += 69) {
+	printf("host-%d.sub%d.example.com\tCNAME\t.\n", $val/256, $val%256);
+	}' >>ns5/bl.db
+
+    echo >>ns5/bl.db
+    echo "; rewrite with some not entirely trivial patricia trees" >>ns5/bl.db
+    $PERL -e 'for ($val = 3; $val <= 65535; $val += 69) {
+	printf("32.%d.%d.168.192.rpz-ip  \tCNAME\t.\n",
+		$val%256, $val/256);
+	printf("32.%d.%d.168.192.rpz-nsip\tCNAME\t.\n",
+		($val+1)%256, ($val+1)/256);
+	}' >>ns5/bl.db
+fi
+
+# some psuedo-random queryperf requests
+$PERL -e 'for ($cnt = $val = 1; $cnt <= 2000; ++$cnt) {
+	printf("host-%d.sub%d.example.com A\n", $val%256, $val/256);
+		$val = ($val * 9 + 32771) % 65536;
+	}' >ns5/requests

bin/tests/system/rpz/test1

@@ -25,13 +25,13 @@ server 10.53.0.3 5300
 ; QNAME tests
 
 ; NXDOMAIN
+;	2, 20, 25
 update add  a0-1.tld2.bl.	300 CNAME .
-update add  a0-1.signed-tld2.bl.	300 CNAME .
-;
 ; NODATA
+;	3, 21
 update add  a3-1.tld2.bl.	300 CNAME *.
 ; and no assert-botch
-;	5
+;	5, 22
 update add  a3-2.tld2.bl.	300 DNAME example.com.
 ;
 ; NXDOMAIN for a4-2-cname.tld2 via its target a4-2.tld2.
@@ -57,24 +57,32 @@ update add nxc2.sub1.tld2.bl.	300 CNAME a12-cname.tld2.
 ;
 ; prefer the first conflicting zone
 ;	13
-update add a4-4.tld2.bl.	300 A	127.0.0.1
+update add a4-4.tld2.bl.	300 A	127.4.4.1
+update add a6-1.tld2.bl.	300 CNAME a6-1.tld2.
+update add a6-2.tld2.bl.	300 A	127.6.2.1
+update add a6-1.tld2.bl.	300 A	127.6.1.1
+update add a6-2.tld2.bl.	300 CNAME a6-2.tld2.
 send
-update add a4-4.tld2.bl-2.	300 A	127.0.0.2
+update add a4-4.tld2.bl-2.	300 A	127.4.4.2
 send
-;
+
 ; wildcard CNAME
-;	14
-update add  a3-6.tld2.bl.	300 CNAME *.tld4.
-;	15
-update add  *.sub1.tld2.bl.	300 CNAME *.tld4.
-; CNAME chains
 ;	16
-update add  a4-5.tld2.bl.	300 A	127.0.0.16
+update add  a3-6.tld2.bl.	300 CNAME *.tld4.
 ;	17
+update add  *.sub1.tld2.bl.	300 CNAME *.tld4.
+; CNAME chain
+;	18
+update add  a4-5.tld2.bl.	300 A	127.0.0.16
+; stop at first hit in CNAME chain
+;	19
 update add  a4-6.tld2.bl.	300 CNAME .
 update add  a4-6-cname.tld2.bl.	300 A	127.0.0.17
-
-;	18
+;
+; assert in rbtdb.c
+;	24
 update	add c1.crash2.tld3.bl.	300 CNAME .
-
+; DO=1 without signatures, DO=0 with signatures are rewritten
+;	26 - 27
+update add  a0-1.tld2s.bl.	300 CNAME .
 send

bin/tests/system/rpz/test2

@@ -19,41 +19,54 @@
 ;	single requests
 ; Separate update requests for distinct TLDs with blank lines or 'send'
 ; End the file with a blank line or 'send'
+; CNAME targets are absolute even without trailing "."
 
 ; IP tests
 
 server 10.53.0.3 5300
 
 ; NODATA a3-1.tld2
+;	1
 update add  32.1.3.168.192.rpz-ip.bl	300 CNAME *.
 ;
-; NXDOMAIN for 192.168.4.0/24, the network of a4-1.tld2
+; NXDOMAIN for 192.168.4.0/24, the network of a4-1.tld2 and a4-2.tld2
+;	4
 update add  24.0.4.168.192.rpz-ip.bl	300 CNAME .
 ;
-; poke hole in NXDOMAIN CIDR block to leave a4-1.tld2 unchanged
+; old passthru in NXDOMAIN CIDR block to leave a4-1.tld2 unchanged
+;	3
 update add  32.1.4.168.192.rpz-ip.bl	300 CNAME 32.1.4.168.192
 ;
 ; NODATA for a4-3.tld2
+;	8
 update add  32.3.4.168.192.rpz-ip.bl	300 CNAME *.
 ;
 ; NXDOMAIN for IPv6 a3-1.tld2
+;	9
 update add  128.1.zz.3.2.2001.rpz-ip.bl	300 CNAME .
 ;
 ; apply the policy with the lexically smallest address of 192.168.5.1
 ; to an RRset of more than one A RR
+;	11
 update add  32.1.5.168.192.rpz-ip.bl	300 A	127.0.0.1
 update add  32.2.5.168.192.rpz-ip.bl	300 A	127.0.0.2
 ;
 ; prefer first conflicting IP zone for a5-3.tld2
+;	12
 update add 32.3.5.168.192.rpz-ip.bl	300 A	127.0.0.1
 send
 update add 32.3.5.168.192.rpz-ip.bl-2	300 A	127.0.0.2
 send
 
 ; prefer QNAME to IP for a5-4.tld2
+;	13
 update add 32.4.5.168.192.rpz-ip.bl	300 CNAME a12.tld2.
 update add a5-4.tld2.bl			300 CNAME a14.tld4.
 ;
+; poke hole in NXDOMAIN CIDR block to leave a4-4.tld2 unchanged
+;	15
+update add  32.4.4.168.192.rpz-ip.bl	300 CNAME rpz-passthru.
+;
 ; assert in rbtdb.c
 ;	16
 update add 32.16.1.16.172.rpz-ip.bl	300 CNAME .

bin/tests/system/rpz/test5

@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: test5,v 1.5 2011/10/13 01:32:33 vjs Exp $
+; $Id: test5,v 1.5.4.1 2012/02/24 17:22:37 vjs Exp $
 
 
 ; Use comment lines instead of blank lines to combine update requests into
@@ -24,22 +24,37 @@
 
 server 10.53.0.3 5300
 
+;	1
 update add  a3-1.tld2.bl-given.	    300 A 127.0.0.1
 send
+;	2
 update add  a3-2.tld2.bl-passthru.  300 A 127.0.0.2
 send
+;	3
 update add  a3-3.tld2.bl-no-op.	    300 A 127.0.0.3
 send
+;	4
 update add  a3-4.tld2.bl-disabled.  300 A 127.0.0.4
 send
+;	5 - 8
 update add  a3-5.tld2.bl-nodata.    300 A 127.0.0.5
+;	9 - 10
+update add  a3-5.tld2s.bl-nodata.   300 A 127.0.0.9
 send
-update add  a3-6.tld2.bl-nxdomain.  300 A 127.0.0.6
+;	11
+update add  a3-6.tld2.bl-nxdomain.  300 A 127.0.0.11
 send
-update add  a3-7.tld2.bl-cname.	    300 A 127.0.0.7
+;	12
+update add  a3-7.tld2.bl-cname.	    300 A 127.0.0.12
 send
-update add  a3-8.tld2.bl-wildcname. 300 A 127.0.0.8
-update add  *.sub9.tld2.bl-wildcname. 300 A 127.0.1.9
+;	13
+update add  a3-8.tld2.bl-wildcname. 300 A 127.0.0.13
+;	14
+update add  *.sub9.tld2.bl-wildcname. 300 A 127.0.1.14
 send
-update add  a3-10.tld2.bl-garden.    300 A 127.0.0.10
+;	15
+update add  a3-15.tld2.bl-garden.   300 A 127.0.0.15
+send
+;	16
+update add  a3-16.tld2.bl.	    300 A 127.0.0.16
 send

bin/tests/system/rpz/tests.sh

@@ -19,12 +19,12 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-ns1=10.53.0.1			    # root, defining the other two
-ns2=10.53.0.2			    # server whose answers are rewritten
-ns3=10.53.0.3			    # resolve that does the rewriting
-ns4=10.53.0.4			    # another server that is rewritten
-
-RNDCCMD="$RNDC -c ../common/rndc.conf -s $ns3 -p 9953"
+ns=10.53.0
+ns1=$ns.1			    # root, defining the others
+ns2=$ns.2			    # server whose answers are rewritten
+ns3=$ns.3			    # resolve that does the rewriting
+ns4=$ns.4			    # another server that is rewritten
+ns5=$ns.5			    # check performance with this server
 
 HAVE_CORE=
 
@@ -44,9 +44,18 @@ fi
 trap 'exit 1' 1 2 15
 
 
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s"
+
 digcmd () {
-    #echo I:dig +noadd +noauth +nosearch +time=1 +tries=1 -p 5300 $* 1>&2
-    $DIG +noadd +noauth +nosearch +time=1 +tries=1 -p 5300 $*
+    digcmd_args="+noadd +nosearch +time=1 +tries=1 -p 5300 $*"
+    if ! expr "$digcmd_args" : '.*@' >/dev/null; then
+	digcmd_args="$digcmd_args @$ns3"
+    fi
+    if ! expr "$digcmd_args" : '.*+[no]*auth' >/dev/null; then
+	digcmd_args="+noauth $digcmd_args"
+    fi
+    #echo I:dig $digcmd_args 1>&2
+    $DIG $digcmd_args
 }
 
 # set DIGNM=file name for dig output
@@ -77,20 +86,41 @@ load_db () {
 }
 
 restart () {
-    $RNDCCMD stop >/dev/null 2>&1
-    rm -f ns3/*.jnl
-    for NM in ns3/bl*.db; do
-	cp -f ns3/base.db $NM
-    done
-    (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+    # try to ensure that the server really has stopped
+    # and won't mess with ns$1/name.pid
+    if test -z "$HAVE_CORE" -a -f ns$1/named.pid; then
+	$RNDCCMD $ns$1 halt >/dev/null 2>&1
+	if test -f ns$1/named.pid; then
+	    sleep 1
+	    PID=`cat ns$1/named.pid 2>/dev/null`
+	    if test -n "$PID"; then
+		echo "I:killing ns$1 server $PID"
+		kill -9 $PID
+	    fi
+	fi
+    fi
+    rm -f ns$1/*.jnl
+    if test -f ns$1/base.db; then
+	for NM in ns$1/bl*.db; do
+	    cp -f ns$1/base.db $NM
+	done
+    fi
+    $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns$1
     load_db
 }
 
+# $1=server and irrelevant args  $2=error message
 ckalive () {
-    $RNDCCMD status >/dev/null 2>&1 && return 0
+    CKALIVE_NS=`expr "$1" : '.*@ns\([1-9]\).*'`
+    if test -z "$CKALIVE_NS"; then
+	CKALIVE_NS=3
+    fi
+    eval CKALIVE_IP=\$ns$CKALIVE_NS
+    $RNDCCMD $CKALIVE_IP status >/dev/null 2>&1 && return 0
     HAVE_CORE=yes
-    setret "$1"
-    restart
+    setret "$2"
+    # restart the server to avoid stalling waiting for it to stop
+    restart $CKALIVE_NS
     return 1
 }
 
@@ -113,15 +143,29 @@ end_group () {
 	sed -e 's/[	 ]add[	 ]/ delete /' $TEST_FILE | $NSUPDATE
 	TEST_FILE=
     fi
+    ckalive $ns3 "I:failed; ns3 server crashed and restarted"
+    if test "$status" -eq 0; then
+	# look for complaints from rpz.c
+	EMSGS=`grep -l 'invalid rpz' */*.run`
+	if test -n "$EMSGS"; then
+	    setret "I:'invalid rpz' complaints in $EMSGS starting with:"
+	    grep 'invalid rpz' */*.run | sed -e '4,$d' -e 's/^/I:    /'
+	fi
+	# look for complaints from rpz.c and query.c
+	EMSGS=`grep -l 'rpz .*failed' */*.run`
+	if test -n "$EMSGS"; then
+	    setret "I:'rpz failed' complaints in $EMSGS starting with:"
+	    grep 'rpz .*failed' */*.run | sed -e '4,$d' -e 's/^/I:    /'
+	fi
+    fi
     status=`expr $status + $ret`
-    ckalive "I:failed; server crashed"
     GROUP_NM=
 }
 
 # $1=dig args $2=other dig output file
 ckresult () {
-    #ckalive "I:server crashed by 'dig $1'" || return 1
-    if $PERL ../digcomp.pl $DIGNM $2 >/dev/null; then
+    #ckalive "$1" "I:server crashed by 'dig $1'" || return 1
+    if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then
 	rm -f ${DIGNM}*
 	return 0
     fi
@@ -132,8 +176,8 @@ ckresult () {
 # check only that the server does not crash
 # $1=target domain  $2=optional query type
 nocrash () {
-    digcmd $* @$ns3 >/dev/null
-    ckalive "I:server crashed by 'dig $*'"
+    digcmd $* >/dev/null
+    ckalive "$*" "I:server crashed by 'dig $*'"
 }
 
 
@@ -141,8 +185,10 @@ nocrash () {
 # $1=target domain  $2=optional query type
 nxdomain () {
     make_dignm
-    digcmd +noauth $* @$ns3						\
-	| sed -e 's/^[a-z].*	IN	CNAME	/;xxx &/' >$DIGNM
+    digcmd $*								\
+	| sed -e 's/^[a-z].*	IN	CNAME	/;xxx &/'		\
+		-e 's/^[a-z].*	IN	RRSIG	/;xxx &/'		\
+	    >$DIGNM
     ckresult "$*" proto.nxdomain
 }
 
@@ -150,33 +196,37 @@ nxdomain () {
 # $1=target domain  $2=optional query type
 nodata () {
     make_dignm
-    digcmd +noauth $* @$ns3						\
+    digcmd $*								\
 	| sed -e 's/^[a-z].*	IN	CNAME	/;xxx &/' >$DIGNM
     ckresult "$*" proto.nodata
 }
 
 # check rewrite to an address
 #   modify the output so that it is easily compared, but save the original line
-# $1=IPv4 address, $2=target domain  $3=optional query type
+# $1=IPv4 address  $2=digcmd args  $3=optional TTL
 addr () {
     ADDR=$1
-    shift
-    ADDR_ESC=`echo "$ADDR" | sed -e 's/\./\\\\./g'`
     make_dignm
-    digcmd +noauth $* @$ns3 >$DIGNM
-    #ckalive "I:server crashed by 'dig $*'" || return
-    if grep -i '^[a-z].*	A	'"$ADDR_ESC"'$' $DIGNM >/dev/null; then
-	rm -f ${DIGNM}*
-	return 0
+    digcmd $2 >$DIGNM
+    #ckalive "$2" "I:server crashed by 'dig $2'" || return 1
+    ADDR_ESC=`echo "$ADDR" | sed -e 's/\./\\\\./g'`
+    ADDR_TTL=`sed -n -e  "s/^[-.a-z0-9]\{1,\}	*\([0-9]*\)	IN	A\{1,4\}	${ADDR_ESC}\$/\1/p" $DIGNM`
+    if test -z "$ADDR_TTL"; then
+	setret "I:'dig $2' wrong; no address $ADDR record in $DIGNM"
+	return 1
     fi
-    setret "I:'dig $*' wrong; no A $ADDR record in $DIGNM $2"
+    if test -n "$3" && test "$ADDR_TTL" -ne "$3"; then
+	setret "I:'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM"
+	return 1
+    fi
+    rm -f ${DIGNM}*
 }
 
 # check that a response is not rewritten
 # $1=target domain  $2=optional query type
 nochange () {
     make_dignm
-    digcmd $* @$ns3 >$DIGNM
+    digcmd $* >$DIGNM
     digcmd $* @$ns2 >${DIGNM}_OK
     ckresult "$*" ${DIGNM}_OK && rm -f ${DIGNM}_OK
 }
@@ -185,23 +235,23 @@ nochange () {
 here () {
     make_dignm
     sed -e 's/^[	 ]*//' >${DIGNM}_OK
-    digcmd $* @$ns3 >$DIGNM
+    digcmd $* >$DIGNM
     ckresult "$*" ${DIGNM}_OK
 }
 
 # make prototype files to check against rewritten results
-digcmd +noauth nonexistent @$ns2 >proto.nxdomain
-digcmd +noauth txt-only.tld2 @$ns2 >proto.nodata
+digcmd nonexistent @$ns2 >proto.nxdomain
+digcmd txt-only.tld2 @$ns2 >proto.nodata
 
 
 status=0
 
 start_group "QNAME rewrites" test1
-nochange .
-nxdomain a0-1.tld2
-nodata a3-1.tld2
-nodata a3-2.tld2
-nodata sub.a3-2.tld2			# 5 no crash on DNAME
+nochange .				# 1 do not crash or rewrite root
+nxdomain a0-1.tld2			# 2
+nodata a3-1.tld2			# 3
+nodata a3-2.tld2			# 4 no crash on DNAME
+nodata sub.a3-2.tld2
 nxdomain a4-2.tld2			# 6 rewrite based on CNAME target
 nxdomain a4-2-cname.tld2		# 7
 nodata a4-3-cname.tld2			# 8
@@ -209,32 +259,43 @@ addr 12.12.12.12  a4-1.sub1.tld2	# 9 A replacement
 addr 12.12.12.12  a4-1.sub2.tld2	# 10 A replacement with wildcard
 addr 12.12.12.12  nxc1.sub1.tld2	# 11 replace NXDOMAIN with CNAME
 addr 12.12.12.12  nxc2.sub1.tld2	# 12 replace NXDOMAIN with CNAME chain
-addr 127.0.0.1	  a4-4.tld2		# 13 prefer 1st conflicting QNAME zone
-addr 56.56.56.56  a3-6.tld2		# 14 wildcard CNAME
-addr 57.57.57.57  a3-7.sub1.tld2	# 15 wildcard CNAME
-addr 127.0.0.16	  a4-5-cname3.tld2	# 16 CNAME chain
-addr 127.0.0.17	  a4-6-cname3.tld2	# 17 stop short in CNAME chain
-nxdomain c1.crash2.tld3			# 18 assert in rbtdb.c
-nochange a0-1.tld2      +norecurse
-nxdomain a0-1.tld2      +dnssec
-nxdomain a0-1.signed-tld2
-nochange a0-1.signed-tld2       +dnssec
+addr 127.4.4.1	  a4-4.tld2		# 13 prefer 1st conflicting QNAME zone
+nochange a6-1.tld2			# 14
+addr 127.6.2.1	  a6-2.tld2		# 15
+addr 56.56.56.56  a3-6.tld2		# 16 wildcard CNAME
+addr 57.57.57.57  a3-7.sub1.tld2	# 17 wildcard CNAME
+addr 127.0.0.16	  a4-5-cname3.tld2	# 18 CNAME chain
+addr 127.0.0.17	  a4-6-cname3.tld2	# 19 stop short in CNAME chain
+nochange a0-1.tld2	    +norecurse	# 20 check that RD=1 is required
+nochange a3-1.tld2	    +norecurse	# 21
+nochange a3-2.tld2	    +norecurse	# 22
+nochange sub.a3-2.tld2	    +norecurse	# 23
+nxdomain c1.crash2.tld3			# 24 assert in rbtdb.c
+nxdomain a0-1.tld2	    +dnssec	# 25 simple DO=1 without signatures
+nxdomain a0-1.tld2s			# 26 simple DO=0 with signatures
+nochange a0-1.tld2s	    +dnssec	# 27 simple DO=1 with signatures
+nxdomain a0-1s-cname.tld2s  +dnssec	# 28 DNSSEC too early in CNAME chain
+nochange a0-1-scname.tld2   +dnssec	# 29 DNSSEC on target in CNAME chain
+nochange a0-1.tld2s srv +auth +dnssec	# 30 no write for +DNSSEC and no record
+nxdomain a0-1.tld2s srv			# 31
 end_group
 
 start_group "IP rewrites" test2
-nodata a3-1.tld2
-nochange a3-2.tld2
-nochange a4-1.tld2
-nxdomain a4-2.tld2
-nochange a4-2.tld2 -taaaa
-nochange a4-2.tld2 -ttxt
-nxdomain a4-2.tld2 -tany
-nodata a4-3.tld2
-nxdomain a3-1.tld2 -tAAAA
-nochange a4-1-aaaa.tld2 -tAAAA
+nodata a3-1.tld2			# 1 NODATA
+nochange a3-2.tld2			# 2 no policy record so no change
+nochange a4-1.tld2			# 3 obsolete PASSTHRU record style
+nxdomain a4-2.tld2			# 4
+nochange a4-2.tld2 -taaaa		# 5 no A => no policy rewrite
+nochange a4-2.tld2 -ttxt		# 6 no A => no policy rewrite
+nxdomain a4-2.tld2 -tany		# 7 no A => no policy rewrite
+nodata a4-3.tld2			# 8
+nxdomain a3-1.tld2 -taaaa		# 9 IPv6 policy
+nochange a4-1-aaaa.tld2 -taaaa		# 10
 addr 127.0.0.1	 a5-1-2.tld2		# 11 prefer smallest policy address
 addr 127.0.0.1	 a5-3.tld2		# 12 prefer first conflicting IP zone
 addr 14.14.14.14 a5-4.tld2		# 13 prefer QNAME to IP
+nochange a5-4.tld2	    +norecurse	# 14 check that RD=1 is required
+nochange a4-4.tld2			# 15 PASSTHRU
 nxdomain c2.crash2.tld3			# 16 assert in rbtdb.c
 end_group
 
@@ -256,7 +317,7 @@ end_group
 if ./rpz nsdname; then
     start_group "NSDNAME rewrites" test3
     nochange a3-1.tld2
-    nochange a3-1.tld2 +dnssec		# 2 this once caused problems
+    nochange a3-1.tld2	    +dnssec	# 2 this once caused problems
     nxdomain a3-1.sub1.tld2		# 3 NXDOMAIN *.sub1.tld2 by NSDNAME
     nxdomain a3-1.subsub.sub1.tld2
     nxdomain a3-1.subsub.sub1.tld2 -tany
@@ -284,21 +345,29 @@ else
 fi
 
 # policies in ./test5 overridden by response-policy{} in ns3/named.conf
+#   and in ns5/named.conf
 start_group "policy overrides" test5
 addr 127.0.0.1 a3-1.tld2		# 1 bl-given
 nochange a3-2.tld2			# 2 bl-passthru
 nochange a3-3.tld2			# 3 bl-no-op	obsolete for passthru
 nochange a3-4.tld2			# 4 bl-disabled
 nodata a3-5.tld2			# 5 bl-nodata
-nxdomain a3-6.tld2			# 6 bl-nxdomain
-here +noauth a3-7.tld2 -tany <<'EOF'	# 7 bl_cname
+nodata a3-5.tld2    +norecurse		# 6 bl-nodata	    recursive-only no
+nodata a3-5.tld2			# 7 bl-nodata
+nodata a3-5.tld2    +norecurse	@$ns5	# 8 bl-nodata	    recursive-only no
+nodata a3-5.tld2s		@$ns5	# 9 bl-nodata
+nodata a3-5.tld2s   +dnssec	@$ns5	# 10 bl-nodata	    break-dnssec
+nxdomain a3-6.tld2			# 11 bl-nxdomain
+here a3-7.tld2 -tany <<'EOF'
     ;; status: NOERROR, x
-    a3-7.tld2.	    300 IN	CNAME   txt-only.tld2.
-    txt-only.tld2.  120 IN	TXT     "txt-only-tld2"
+    a3-7.tld2.	    x	IN	CNAME   txt-only.tld2.
+    txt-only.tld2.  x	IN	TXT     "txt-only-tld2"
 EOF
-addr 58.58.58.58 a3-8.tld2		# 8 bl_wildcname
-addr 59.59.59.59 a3-9.sub9.tld2		# 9 bl_wildcname
-addr 12.12.12.12 a3-10.tld2		# 10 bl-garden
+addr 58.58.58.58 a3-8.tld2		# 13 bl_wildcname
+addr 59.59.59.59 a3-9.sub9.tld2		# 14 bl_wildcname
+addr 12.12.12.12 a3-15.tld2		# 15 bl-garden	via CNAME to a12.tld2
+addr 127.0.0.16 a3-16.tld2	    100	# 16 bl		    max-policy-ttl 100
+addr 17.17.17.17 "a3-17.tld2 @$ns5" 90	# 17 ns5 bl	    max-policy-ttl 90
 end_group
 
 # check that miscellaneous bugs are still absent
@@ -312,12 +381,61 @@ for Q in RRSIG SIG ANY 'ANY +dnssec'; do
 done
 end_group
 
-# restart the server to see if that creates a core file
-if test -z "$HAVE_CORE"; then
-    $RNDCCMD halt
-    restart
-    test -s ns3/named.core && setret "I:found stray core file; memory leak?"
+
+# superficial test for major performance bugs
+QPERF=`sh qperf.sh`
+if test -n "$QPERF"; then
+    perf () {
+	echo "I:checking performance $1"
+	# don't measure the costs of -d99
+	$RNDCCMD $ns5 notrace >/dev/null
+	$QPERF -1 -l2 -d ns5/requests -s $ns5 -p 5300 >ns5/$2.perf
+	ckalive $ns5 "I:failed; server #5 crashed"
+    }
+    trim () {
+	sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf
+    }
+
+    # Dry run to prime disk cache
+    #	Otherwise a first test of either flavor is 25% low
+    perf 'to prime disk cache' rpz
+
+    # get queries/second with rpz
+    perf 'with rpz' rpz
+
+    # turn off rpz and measure queries/second again
+    # Don't wait for a clean stop.  Clean stops of this server need seconds
+    # until the sockets are close.  5 or 10 seconds after that, the
+    # server really stops and deletes named.pid.
+    echo "# rpz off" >ns5/rpz-switch
+    PID=`cat ns5/named.pid`
+    test -z "$PID" || kill -9 "$PID"
+    $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5
+    perf 'without rpz' norpz
+
+    NORPZ=`trim norpz`
+    RPZ=`trim rpz`
+    echo "I:$RPZ qps with RPZ versus $NORPZ qps without"
+
+    # fail if RPZ costs more than 100%
+    NORPZ2=`expr "$NORPZ" / 2`
+    if test "$RPZ" -le "$NORPZ2"; then
+	echo "I:rpz $RPZ qps too far below non-RPZ $NORPZ qps"
+	status=`expr $status + 1`
+    fi
+else
+    echo "I:performance not checked; queryperf not available"
 fi
 
+
+# restart the main test RPZ server to see if that creates a core file
+if test -z "$HAVE_CORE"; then
+    $PERL $SYSTEMTESTTOP/stop.pl . ns3
+    restart 3
+    HAVE_CORE=`find ns* -name '*core*' -print`
+    test -z "$HAVE_CORE" || setret "I:found $HAVE_CORE; memory leak?"
+fi
+
+
 echo "I:exit status: $status"
 exit $status