Test for EDE option 18 in allow-query test

If a query is refused because of an ACL error, check that the extended DNS error "Prohibited (18)" is set.
2021-10-28 15:13:31 +02:00
parent ca7f2fd903
commit f14964a1b1
1 changed files with 31 additions and 0 deletions
--- a/bin/tests/system/allow-query/tests.sh
+++ b/bin/tests/system/allow-query/tests.sh
@@ -91,6 +91,7 @@ echo_i "test $n: none - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -117,6 +118,7 @@ echo_i "test $n: address not allowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -130,6 +132,7 @@ echo_i "test $n: address disallowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -156,6 +159,7 @@ echo_i "test $n: acl not allowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -170,6 +174,7 @@ echo_i "test $n: acl disallowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -196,6 +201,7 @@ echo_i "test $n: key not allowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -209,6 +215,7 @@ echo_i "test $n: key disallowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -251,6 +258,7 @@ echo_i "test $n: views none - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -277,6 +285,7 @@ echo_i "test $n: views address not allowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -290,6 +299,7 @@ echo_i "test $n: views address disallowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -316,6 +326,7 @@ echo_i "test $n: views acl not allowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -329,6 +340,7 @@ echo_i "test $n: views acl disallowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -355,6 +367,7 @@ echo_i "test $n: views key not allowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -368,6 +381,7 @@ echo_i "test $n: views key disallowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -394,6 +408,7 @@ echo_i "test $n: views over options, views disallow - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -431,6 +446,7 @@ echo_i "test $n: zone none - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -451,6 +467,7 @@ echo_i "test $n: zone address not allowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -461,6 +478,7 @@ echo_i "test $n: zone address disallowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -481,6 +499,7 @@ echo_i "test $n: zone acl not allowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -491,6 +510,7 @@ echo_i "test $n: zone acl disallowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -511,6 +531,7 @@ echo_i "test $n: zone key not allowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -521,6 +542,7 @@ echo_i "test $n: zone key disallowed - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -547,6 +569,7 @@ echo_i "test $n: views over options, views disallow - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -573,6 +596,7 @@ echo_i "test $n: zones over views, views disallow - query refused"
 ret=0
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -589,6 +613,7 @@ grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1
 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n > /dev/null || ret=1
 grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -601,6 +626,7 @@ $DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n
 grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
 $DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n
 grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@@ -612,6 +638,7 @@ $DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n
 grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
 $DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n
 grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@@ -647,6 +674,7 @@ grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
 $DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
 grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
 grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
 # this should require recursion and should be allowed
 $DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n
 grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
@@ -654,6 +682,7 @@ grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
 $DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n
 grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
 grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@@ -671,6 +700,7 @@ grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
 $DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
 grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
 grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
 # this should require recursion and should be allowed
 $DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n
 grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
@@ -678,6 +708,7 @@ grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
 $DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n
 grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
 grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
+grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`