moved 9.8.5rc1

(cherry picked from commit 3a6d62c59f)

CHANGES

@@ -1,3 +1,120 @@
+	--- 9.8.5rc1 released ---
+
+3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
+
+3544.	[contrib]	check5011.pl: Script to report the status of
+			managed keys as recorded in managed-keys.bind.
+			Contributed by Tony Finch <dot@dotat.at>
+
+3543.	[bug]		Update socket stucture before attaching to socket
+			manager after accept. [RT #33084]
+
+3542.	[bug]		masterformat system test was broken. [RT #33086]
+
+3541.	[bug]		Parts of libdns were not properly initialized when
+			built in libexport mode. [RT #33028]
+
+3540.	[test]		libt_api: t_info and t_assert were not thread safe.
+
+3539.	[port]		win32: timestamp format didn't match other platforms.
+
+3538.	[test]		Running "make test" now requires loopback interfaces
+			to be set up. [RT #32452]
+
+3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
+			to peers before being dumped to disk rather than
+			after. [RT #27242]
+
+3535.	[bug]		Minor win32 cleanups. [RT #32962]
+
+3534.	[bug]		Extra text after an embedded NULL was ignored when
+			parsing zone files. [RT #32699]
+
+3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
+
+3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
+
+3531.	[bug]		win32: A uninitialized value could be returned on out
+			of memory. [RT #32960]
+
+3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
+
+3526.	[cleanup]	Set up dependencies for unit tests correctly during
+			build. [RT #32803]
+
+3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
+
+3520.	[bug]		'mctx' was not being referenced counted in some places
+			where it should have been.  [RT #32794]
+
+	--- 9.8.5b2 released ---
+
+3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
+
+3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
+
+3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
+			rndc-confgen were too constrained. Keys up to 512
+			bits are now allowed for most algorithms, and up
+			to 1024 bits for hmac-sha384 and hmac-sha512.
+			[RT #32753]
+
+3509.	[cleanup]	Added a product line to version file to allow for
+			easy naming of different products (BIND
+			vs BIND ESV, for example). [RT #32755]
+
+3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
+			[RT #32338]
+
+3503.	[doc]		Clarify size_spec syntax. [RT #32449]
+
+3500.	[security]	Support NAPTR regular expression validation on
+			all platforms without using libregex, which
+			can be vulnerable to memory exhaustion attack
+			(CVE-2013-2266). [RT #32688]
+
+3499.	[doc]		Corrected ARM documentation of built-in zones.
+			[RT #32694]
+
+3498.	[bug]		zone statistics for zones which matched a potential
+			empty zone could have their zone-statistics setting
+			overridden.
+
+3496.	[func]		Improvements to RPZ performance. The "response-policy"
+			syntax now includes a "min-ns-dots" clause, with
+			default 1, to exclude top-level domains from
+			NSIP and NSDNAME checking. --enable-rpz-nsip and
+			--enable-rpz-nsdname are now the default. [RT #32251]
+
+3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
+			When cloning a rdataset do not copy the link contents.
+			[RT #32651]
+
+3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
+
+3487.	[bug]		Change 3444 was not complete.  There was a additional
+			place where the NOQNAME proof needed to be saved.
+			[RT #32629]
+
+3486.	[bug]		named could crash when using TKEY-negotiated keys
+			that had been deleted and then recreated. [RT #32506]
+
+3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
+
+3481.	[cleanup]	removed use of const const in atf
+
+3479.	[bug]		Address potential memory leaks in gssapi support
+			code. [RT #32405]
+
+3478.	[port]		Fix a build failure in strict C99 environments
+			[RT #32475]
+
+3474.	[bug]		nsupdate could assert when the local and remote
+			address families didn't match. [RT #22897]
+
+3470.	[bug]		Slave zones could fail to dump when successfully
+			refreshing after an initial failure. [RT #31276]
+
 	--- 9.8.5b1 released ---
 
 3468.	[security]	RPZ rules to generate A records (but not AAAA records)
@@ -6,13 +123,13 @@
 
 3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
 			to check for delete date < inactive date. [RT #31719]
-	
+
 3465.	[bug]		Handle isolated reserved ports. [RT #31778]
 
 3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
 			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
 
-3463.	[doc]		Clarify managed-keys syntax in ARM. [RT 32232]
+3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
 
 3462.	[doc]		Clarify server selection behavior of dig when using
 			-4 or -6 options. [RT #32181]

EXCLUDED

@@ -1,3 +1,62 @@
+3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
+
+3507.	[bug]		Statistics channel XSL had a glitch when attempting
+			to chart query data before any queries had been
+			received. [RT #32620]
+
+3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
+			larger values than 4 gigabytes could not be set
+			explicitly, though larger sizes were available
+			when setting cache size to 0. This has been
+			corrected; the full range is now available.
+			[RT #32358]
+
+3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
+			contributed by Mark Goldfinch. [RT #32549]
+
+3492.	[bug]		Fixed a regression in zone loading performance
+			due to lock contention. [RT #30399]
+
+3491.	[bug]		Slave zones using inline-signing must specify a
+			file name. [RT #31946]
+
+3490.	[bug]		When logging RDATA during update, truncate if it's
+                        too long. [RT #32365]
+
+3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
+			When cloning a rdataset do not copy the link contents.
+			[RT #32651]
+
+3484.	[bug]		Some statistics were incorrectly rendered in XML.
+			[RT #32587]
+
+3480.	[bug]		Silence logging noise when setting up zone
+			statistics. [RT #32525]
+
+3476.	[bug]		"rndc zonestatus" could report a spurious "not
+			found" error on inline-signing zones. [RT #29226]
+
+3475.	[cleanup]	Changed name of 'map' zone file format (previously
+			'fast'). [RT #32458]
+
+3473.	[bug]		dnssec-signzone/verify could incorrectly report
+			an error condition due to an empty node above an
+			opt-out delegation lacking an NSEC3. [RT #32072]
+
+3472.	[bug]		The active-connections counter in the socket
+			statistics could underflow. [RT #31747]
+
+3471.	[bug]		The number of UDP dispatches now defaults to
+			the number of CPUs even if -n has been set to
+			a higher value. [RT #30964]
+
+3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
+			backward compatibility between versions of DLZ dlopen
+			API. [RT #32275]
+
+3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
+			in DLZ example driver. [RT #32275]
+
 3460.	[bug]		Only link against readline where needed. [RT #29810]
 
 3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'

FAQ

@@ -1,6 +1,6 @@
 Frequently Asked Questions about BIND 9
 
-Copyright © 2004-2010 Internet Systems Consortium, Inc. ("ISC")
+Copyright © 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
 
 Copyright © 2000-2003 Internet Software Consortium.
 
@@ -869,7 +869,7 @@ A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
    Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
 
    key "rndc-key" {
-           algorithm hmac-md5;
+           algorithm hmac-sha256;
            secret "uvceheVuqf17ZwIcTydddw==";
    };
 

FAQ.xml

@@ -1,7 +1,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
 <!--
- - Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010, 2013  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -30,6 +30,7 @@
       <year>2008</year>
       <year>2009</year>
       <year>2010</year>
+      <year>2013</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -1564,7 +1565,7 @@ rand_irqs="3 14 15"</programlisting>
 	<informalexample>
 	  <programlisting>
 key "rndc-key" {
-	algorithm hmac-md5;
+	algorithm hmac-sha256;
 	secret "uvceheVuqf17ZwIcTydddw==";
 };</programlisting>
 	</informalexample>

Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -61,9 +61,21 @@ tags:
 	rm -f TAGS
 	find lib bin -name "*.[ch]" -print | @ETAGS@ -
 
-check: test
+test check:
+	@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>&- || echo fail`"; then \
+	echo I: NOTE: The tests were not run because they require that; \
+	echo I:	the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
+	echo I:	as alias addresses on the loopback interface.  Please run; \
+	echo I:	\'bin/tests/system/ifconfig.sh up\' as root to configure; \
+	echo I:	them, then rerun the tests. Run make force-test to run the; \
+	echo I:	tests anyway.; \
+	exit 1; \
+	fi
+	${MAKE} test-force
 
-test:
+force-test: test-force
+
+test-force:
 	status=0; \
 	(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
 	(test -f unit/unittest.sh && $(SHELL) unit/unittest.sh) || status=1; \

README

@@ -54,7 +54,7 @@ BIND 9
 BIND 9.8.5
 
         BIND 9.8.5 includes several bug fixes and patches security
-        flaws described in CVE-2012-5688 and CVE-2012-5689.
+        flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
 
 BIND 9.8.4
 

bin/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -19,7 +19,7 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =	named rndc dig dnssec tests tools nsupdate \
+SUBDIRS =	named rndc dig dnssec tools tests nsupdate \
 		check confgen @PKCS11_TOOLS@
 TARGETS =
 

bin/confgen/keygen.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -126,29 +126,17 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
 
 	switch (alg) {
 	    case DST_ALG_HMACMD5:
-	    case DST_ALG_HMACSHA512:
+	    case DST_ALG_HMACSHA1:
+	    case DST_ALG_HMACSHA224:
+	    case DST_ALG_HMACSHA256:
 		if (keysize < 1 || keysize > 512)
 			fatal("keysize %d out of range (must be 1-512)\n",
 			      keysize);
 		break;
-	    case DST_ALG_HMACSHA256:
-		if (keysize < 1 || keysize > 256)
-			fatal("keysize %d out of range (must be 1-256)\n",
-			      keysize);
-		break;
-	    case DST_ALG_HMACSHA1:
-		if (keysize < 1 || keysize > 160)
-			fatal("keysize %d out of range (must be 1-160)\n",
-			      keysize);
-		break;
-	    case DST_ALG_HMACSHA224:
-		if (keysize < 1 || keysize > 224)
-			fatal("keysize %d out of range (must be 1-224)\n",
-			      keysize);
-		break;
 	    case DST_ALG_HMACSHA384:
-		if (keysize < 1 || keysize > 384)
-			fatal("keysize %d out of range (must be 1-384)\n",
+	    case DST_ALG_HMACSHA512:
+		if (keysize < 1 || keysize > 1024)
+			fatal("keysize %d out of range (must be 1-1024)\n",
 			      keysize);
 		break;
 	    default:

bin/confgen/rndc-confgen.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -140,8 +140,6 @@ main(int argc, char **argv) {
 			keysize = strtol(isc_commandline_argument, &p, 10);
 			if (*p != '\0' || keysize < 0)
 				fatal("-b requires a non-negative number");
-			if (keysize < 1 || keysize > 512)
-				fatal("-b must be in the range 1 through 512");
 			break;
 		case 'c':
 			keyfile = isc_commandline_argument;

bin/dig/dig.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -255,7 +255,7 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		time(&tnow);
 		tmnow  = *localtime(&tnow);
 		if (strftime(time_str, sizeof(time_str),
-			     "%a %b %d %T %Z %Y", &tmnow) > 0U)
+			     "%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
 			printf(";; WHEN: %s\n", time_str);
 		if (query->lookup->doing_xfr) {
 			printf(";; XFR size: %u records (messages %u, "

bin/named/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -21,6 +21,8 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
+@BIND9_PRODUCT@
+
 @BIND9_SRCID@
 
 @BIND9_CONFIGARGS@
@@ -116,6 +118,7 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 main.@O@: main.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 		-DVERSION=\"${VERSION}\" \
+		-DPRODUCT=\"${PRODUCT}\" \
 		-DSRCID=\"${SRCID}\" \
 		-DCONFIGARGS="\"${CONFIGARGS}\"" \
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \

bin/named/controlconf.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -149,7 +149,7 @@ free_listener(controllistener_t *listener) {
 	if (listener->acl != NULL)
 		dns_acl_detach(&listener->acl);
 
-	isc_mem_put(listener->mctx, listener, sizeof(*listener));
+	isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
 }
 
 static void
@@ -1066,8 +1066,9 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		result = ISC_R_NOMEMORY;
 
 	if (result == ISC_R_SUCCESS) {
+		listener->mctx = NULL;
+		isc_mem_attach(mctx, &listener->mctx);
 		listener->controls = cp;
-		listener->mctx = mctx;
 		listener->task = cp->server->task;
 		listener->address = *addr;
 		listener->sock = NULL;

bin/named/include/named/globals.h

@@ -66,6 +66,7 @@ EXTERN isc_timermgr_t *		ns_g_timermgr		INIT(NULL);
 EXTERN isc_socketmgr_t *	ns_g_socketmgr		INIT(NULL);
 EXTERN cfg_parser_t *		ns_g_parser		INIT(NULL);
 EXTERN const char *		ns_g_version		INIT(VERSION);
+EXTERN const char *		ns_g_product		INIT(PRODUCT);
 EXTERN const char *		ns_g_srcid		INIT(SRCID);
 EXTERN const char *		ns_g_configargs		INIT(CONFIGARGS);
 EXTERN in_port_t		ns_g_port		INIT(0);

bin/named/include/named/server.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -165,7 +165,9 @@ enum {
 	dns_nsstatscounter_updatefail = 34,
 	dns_nsstatscounter_updatebadprereq = 35,
 
-	dns_nsstatscounter_max = 36
+	dns_nsstatscounter_rpz_rewrites = 36,
+
+	dns_nsstatscounter_max = 37
 };
 
 void

bin/named/interfacemgr.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -79,11 +79,13 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	if (mgr == NULL)
 		return (ISC_R_NOMEMORY);
 
+	mgr->mctx = NULL;
+	isc_mem_attach(mctx, &mgr->mctx);
+
 	result = isc_mutex_init(&mgr->lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_mem;
 
-	mgr->mctx = mctx;
 	mgr->taskmgr = taskmgr;
 	mgr->socketmgr = socketmgr;
 	mgr->dispatchmgr = dispatchmgr;
@@ -115,7 +117,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	ns_listenlist_detach(&mgr->listenon4);
 	ns_listenlist_detach(&mgr->listenon6);
  cleanup_mem:
-	isc_mem_put(mctx, mgr, sizeof(*mgr));
+	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
 	return (result);
 }
 
@@ -128,7 +130,7 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
 	clearlistenon(mgr);
 	DESTROYLOCK(&mgr->lock);
 	mgr->magic = 0;
-	isc_mem_put(mgr->mctx, mgr, sizeof(*mgr));
+	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
 }
 
 dns_aclenv_t *

bin/named/main.c

@@ -535,10 +535,10 @@ parse_command_line(int argc, char *argv[]) {
 			ns_g_username = isc_commandline_argument;
 			break;
 		case 'v':
-			printf("BIND %s\n", ns_g_version);
+			printf("%s %s\n", ns_g_product, ns_g_version);
 			exit(0);
 		case 'V':
-			printf("BIND %s <id:%s> built with %s\n",
+			printf("%s %s <id:%s> built with %s\n", ns_g_product,
 			       ns_g_version, ns_g_srcid, ns_g_configargs);
 #ifdef OPENSSL
 			printf("using OpenSSL version: %s\n",
@@ -791,8 +791,8 @@ setup(void) {
 				   isc_result_totext(result));
 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version,
-		      saved_command_line);
+		      ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product,
+		      ns_g_version, saved_command_line);
 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "built with %s", ns_g_configargs);

bin/named/query.c

@@ -850,12 +850,29 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 }
 
 static void
-rpz_log_rewrite(ns_client_t *client, const char *disabled,
+rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
 		dns_rpz_policy_t policy, dns_rpz_type_t type,
-		dns_name_t *rpz_qname) {
+		dns_zone_t *zone, dns_name_t *rpz_qname)
+{
+	isc_stats_t *zonestats;
 	char qname_buf[DNS_NAME_FORMATSIZE];
 	char rpz_qname_buf[DNS_NAME_FORMATSIZE];
 
+	/*
+	 * Count enabled rewrites in the global counter.
+	 * Count both enabled and disabled rewrites for each zone.
+	 */
+	if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) {
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_rpz_rewrites);
+	}
+	if (zone != NULL) {
+		zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL)
+			isc_stats_increment(zonestats,
+					    dns_nsstatscounter_rpz_rewrites);
+	}
+
 	if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
 		return;
 
@@ -864,7 +881,7 @@ rpz_log_rewrite(ns_client_t *client, const char *disabled,
 
 	ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
 		      DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
-		      disabled,
+		      disabled ? "disabled " : "",
 		      dns_rpz_type2str(type), dns_rpz_policy2str(policy),
 		      qname_buf, rpz_qname_buf);
 }
@@ -880,6 +897,9 @@ rpz_log_fail(ns_client_t *client, int level,
 	if (!isc_log_wouldlog(ns_g_lctx, level))
 		return;
 
+	/*
+	 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+	 */
 	dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
 	dns_name_format(name, namebuf2, sizeof(namebuf2));
 	ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
@@ -4055,6 +4075,8 @@ rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type,
 				rdatasetp, resuming);
 	switch (result) {
 	case ISC_R_SUCCESS:
+	case DNS_R_GLUE:
+	case DNS_R_ZONECUT:
 		result = rpz_rewrite_ip(client, *rdatasetp, rpz_type);
 		break;
 	case DNS_R_EMPTYNAME:
@@ -4233,26 +4255,32 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
 				result = DNS_R_CNAME;
 		}
 		break;
+	case DNS_R_NXRRSET:
+		policy = DNS_RPZ_POLICY_NODATA;
+		break;
 	case DNS_R_DNAME:
 		/*
 		 * DNAME policy RRs have very few if any uses that are not
 		 * better served with simple wildcards.  Making the work would
 		 * require complications to get the number of labels matched
 		 * in the name or the found name to the main DNS_R_DNAME case
-		 * in query_find(). So fall through to treat them as NODATA.
+		 * in query_find().
+		 */
+		dns_rdataset_disassociate(*rdatasetp);
+		dns_db_detachnode(*dbp, nodep);
+		/*
+		 * Fall through to treat it as a miss.
 		 */
-	case DNS_R_NXRRSET:
-		policy = DNS_RPZ_POLICY_NODATA;
-		break;
 	case DNS_R_NXDOMAIN:
 	case DNS_R_EMPTYNAME:
 		/*
 		 * If we don't get a qname hit,
 		 * see if it is worth looking for other types.
 		 */
-		dns_db_rpz_enabled(*dbp, client->query.rpz_st);
+		(void)dns_db_rpz_enabled(*dbp, client->query.rpz_st);
 		dns_db_detach(dbp);
 		dns_zone_detach(zonep);
+		result = DNS_R_NXDOMAIN;
 		policy = DNS_RPZ_POLICY_MISS;
 		break;
 	default:
@@ -4260,9 +4288,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
 		dns_zone_detach(zonep);
 		rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
 			     "", result);
-		policy = DNS_RPZ_POLICY_ERROR;
-		result = DNS_R_SERVFAIL;
-		break;
+		return (DNS_R_SERVFAIL);
 	}
 
 	*policyp = policy;
@@ -4328,6 +4354,9 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
 			if (result == ISC_R_SUCCESS)
 				break;
 			INSIST(result == DNS_R_NAMETOOLONG);
+			/*
+			 * Trim the name until it is not too long.
+			 */
 			labels = dns_name_countlabels(prefix);
 			if (labels < 2) {
 				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
@@ -4351,7 +4380,6 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
 				  rdatasetp, &policy);
 		switch (result) {
 		case DNS_R_NXDOMAIN:
-		case DNS_R_EMPTYNAME:
 			break;
 		case DNS_R_SERVFAIL:
 			rpz_clean(&zone, &db, &node, rdatasetp);
@@ -4374,13 +4402,45 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
 			     (st->m.type == rpz_type &&
 			      0 >= dns_name_compare(rpz_qname, st->qname))))
 				continue;
+#if 0
+			/*
+			 * This code would block a customer reported information
+			 * leak of rpz rules by rewriting requests in the
+			 * rpz-ip, rpz-nsip, rpz-nsdname,and rpz-passthru TLDs.
+			 * Without this code, a bad guy could request
+			 * 24.0.3.2.10.rpz-ip. to find the policy rule for
+			 * 10.2.3.0/14.  It is an insignificant leak and this
+			 * code is not worth its cost, because the bad guy
+			 * could publish "evil.com A 10.2.3.4" and request
+			 * evil.com to get the same information.
+			 * Keep code with "#if 0" in case customer demand
+			 * is irresistible.
+			 *
+			 * We have the less frequent case of a triggered
+			 * policy.  Check that we have not trigger on one
+			 * of the pretend RPZ TLDs.
+			 * This test would make it impossible to rewrite
+			 * names in TLDs that start with "rpz-" should
+			 * ICANN ever allow such TLDs.
+			 */
+			labels = dns_name_countlabels(qname);
+			if (labels >= 2) {
+				dns_label_t label;
 
+				dns_name_getlabel(qname, labels-2, &label);
+				if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 &&
+				    strncasecmp((const char *)label.base+1,
+						DNS_RPZ_PREFIX,
+						sizeof(DNS_RPZ_PREFIX)-1) == 0)
+					continue;
+			}
+#endif
 			/*
 			 * Merely log DNS_RPZ_POLICY_DISABLED hits.
 			 */
 			if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
-				rpz_log_rewrite(client, "disabled ",
-						policy, rpz_type, rpz_qname);
+				rpz_log_rewrite(client, ISC_TRUE, policy,
+						rpz_type, zone, rpz_qname);
 				continue;
 			}
 
@@ -4511,7 +4571,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 	rdataset = NULL;
 	if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
 		/*
-		 * Check rules for the query name if this it the first time
+		 * Check rules for the query name if this is the first time
 		 * for the current qname, i.e. we've not been recursing.
 		 * There is a first time for each name in a CNAME chain.
 		 */
@@ -4553,7 +4613,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 
 	dns_fixedname_init(&nsnamef);
 	dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
-	while (st->r.label > 1) {
+	while (st->r.label > client->view->rpz_min_ns_labels) {
 		/*
 		 * Get NS rrset for each domain in the current qname.
 		 */
@@ -4684,8 +4744,8 @@ cleanup:
 	    st->m.policy == DNS_RPZ_POLICY_ERROR) {
 		if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
 		    result != DNS_R_DELEGATION)
-			rpz_log_rewrite(client, "", st->m.policy, st->m.type,
-					st->qname);
+			rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
+					st->m.type, st->m.zone, st->qname);
 		rpz_match_clear(st);
 	}
 	if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
@@ -4700,7 +4760,7 @@ cleanup:
 }
 
 /*
- * See if response policy zone rewriting is allowed a lack of interest
+ * See if response policy zone rewriting is allowed by a lack of interest
  * by the client in DNSSEC or a lack of signatures.
  */
 static isc_boolean_t
@@ -4795,7 +4855,8 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
 				 fname, dns_trust_authanswer, st->m.ttl);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	rpz_log_rewrite(client, "", st->m.policy, st->m.type, st->qname);
+	rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
+			st->m.type, st->m.zone, st->qname);
 	ns_client_qnamereplace(client, fname);
 	/*
 	 * Turn off DNSSEC because the results of a
@@ -5734,8 +5795,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			query_putrdataset(client, &sigrdataset);
 			rpz_st->q.is_zone = is_zone;
 			is_zone = ISC_TRUE;
-			rpz_log_rewrite(client, "", rpz_st->m.policy,
-					rpz_st->m.type, rpz_st->qname);
+			rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
+					rpz_st->m.type, zone, rpz_st->qname);
 		}
 	}
 

bin/named/server.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -159,7 +159,7 @@
  * a cache.  Only effective when a finite max-cache-size is specified.
  * This is currently defined to be 8MB.
  */
-#define MAX_ADB_SIZE_FOR_CACHESHARE	8388608
+#define MAX_ADB_SIZE_FOR_CACHESHARE	8388608U
 
 struct ns_dispatch {
 	isc_sockaddr_t			addr;
@@ -1505,40 +1505,58 @@ cleanup:
 	return (result);
 }
 
+static isc_result_t
+configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
+		   const char *str, const char *msg)
+{
+	isc_result_t result;
+
+	result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
+	if (result != ISC_R_SUCCESS)
+		cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid %s '%s'", msg, str);
+	return (result);
+}
+
+static isc_result_t
+configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
+		    const char *str, const dns_name_t *origin)
+{
+	isc_result_t result;
+
+	result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
+				      view->mctx);
+	if (result != ISC_R_SUCCESS)
+		cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone '%s'", str);
+	return (result);
+}
+
 static isc_result_t
 configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
 	      isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
 {
-	const cfg_obj_t *rpz_obj, *policy_obj, *obj;
+	const cfg_obj_t *rpz_obj, *obj;
 	const char *str;
 	dns_rpz_zone_t *old, *new;
-	dns_zone_t *zone = NULL;
 	isc_result_t result;
 
+	rpz_obj = cfg_listelt_value(element);
+
 	new = isc_mem_get(view->mctx, sizeof(*new));
 	if (new == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "no memory for response policy zones");
+		return (ISC_R_NOMEMORY);
 	}
 
 	memset(new, 0, sizeof(*new));
 	dns_name_init(&new->origin, NULL);
 	dns_name_init(&new->nsdname, NULL);
-	dns_name_init(&new->cname, NULL);
 	dns_name_init(&new->passthru, NULL);
+	dns_name_init(&new->cname, NULL);
 	ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
 
-	rpz_obj = cfg_listelt_value(element);
-	policy_obj = cfg_tuple_get(rpz_obj, "policy");
-	if (cfg_obj_isvoid(policy_obj)) {
-		new->policy = DNS_RPZ_POLICY_GIVEN;
-	} else {
-		str = cfg_obj_asstring(cfg_tuple_get(policy_obj,
-						     "policy name"));
-		new->policy = dns_rpz_str2policy(str);
-		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
-	}
-
 	obj = cfg_tuple_get(rpz_obj, "recursive-only");
 	if (cfg_obj_isvoid(obj)) {
 		new->recursive_only = recursive_only_def;
@@ -1556,47 +1574,14 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
 	}
 
 	str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
-	result = dns_name_fromstring(&new->origin, str, DNS_NAME_DOWNCASE,
-				     view->mctx);
-	if (result != ISC_R_SUCCESS) {
+	result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (dns_name_equal(&new->origin, dns_rootname)) {
 		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone '%s'", str);
-		goto cleanup;
+			    "invalid zone name '%s'", str);
+		return (DNS_R_EMPTYLABEL);
 	}
-
-	result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE,
-				      &new->origin, DNS_NAME_DOWNCASE,
-				      view->mctx);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone '%s'", str);
-		goto cleanup;
-	}
-
-	result = dns_name_fromstring(&new->passthru, DNS_RPZ_PASSTHRU_ZONE,
-				     DNS_NAME_DOWNCASE, view->mctx);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone '%s'", str);
-		goto cleanup;
-	}
-
-	result = dns_view_findzone(view, &new->origin, &zone);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "unknown zone '%s'", str);
-		goto cleanup;
-	}
-	if (dns_zone_gettype(zone) != dns_zone_master &&
-	    dns_zone_gettype(zone) != dns_zone_slave) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			     "zone '%s' is neither master nor slave", str);
-		dns_zone_detach(&zone);
-		result = DNS_R_NOTMASTER;
-		goto cleanup;
-	}
-	dns_zone_detach(&zone);
-
 	for (old = ISC_LIST_HEAD(view->rpz_zones);
 	     old != new;
 	     old = ISC_LIST_NEXT(old, link)) {
@@ -1605,26 +1590,37 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
 			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
 				    "duplicate '%s'", str);
 			result = DNS_R_DUPLICATE;
-			goto cleanup;
+			return (result);
 		}
 	}
 
-	if (new->policy == DNS_RPZ_POLICY_CNAME) {
-		str = cfg_obj_asstring(cfg_tuple_get(policy_obj, "cname"));
-		result = dns_name_fromstring(&new->cname, str,
-					     DNS_NAME_DOWNCASE, view->mctx);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-				    "invalid cname '%s'", str);
-			goto cleanup;
+	result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
+				     DNS_RPZ_NSDNAME_ZONE, &new->origin);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = configure_rpz_name(view, rpz_obj, &new->passthru,
+				    DNS_RPZ_PASSTHRU_ZONE, "zone");
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = cfg_tuple_get(rpz_obj, "policy");
+	if (cfg_obj_isvoid(obj)) {
+		new->policy = DNS_RPZ_POLICY_GIVEN;
+	} else {
+		str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
+		new->policy = dns_rpz_str2policy(str);
+		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
+		if (new->policy == DNS_RPZ_POLICY_CNAME) {
+			str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
+			result = configure_rpz_name(view, rpz_obj, &new->cname,
+						    str, "cname");
+			if (result != ISC_R_SUCCESS)
+				return (result);
 		}
 	}
 
 	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_rpz_view_destroy(view);
-	return (result);
 }
 
 /*
@@ -1693,6 +1689,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
 	unsigned int query_timeout;
 	struct cfg_context *nzctx;
+	dns_rpz_zone_t *rpz;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
@@ -1790,6 +1787,53 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 					 &view->queryacl));
 	}
 
+	/*
+	 * Make the list of response policy zone names for a view that
+	 * is used for real lookups and so cares about hints.
+	 */
+	obj = NULL;
+	if (view->rdclass == dns_rdataclass_in && need_hints &&
+	    ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
+		const cfg_obj_t *rpz_obj;
+		isc_boolean_t recursive_only_def;
+		dns_ttl_t ttl_def;
+
+		rpz_obj = cfg_tuple_get(obj, "recursive-only");
+		if (!cfg_obj_isvoid(rpz_obj) &&
+		    !cfg_obj_asboolean(rpz_obj))
+			recursive_only_def = ISC_FALSE;
+		else
+			recursive_only_def = ISC_TRUE;
+
+		rpz_obj = cfg_tuple_get(obj, "break-dnssec");
+		if (!cfg_obj_isvoid(rpz_obj) &&
+		    cfg_obj_asboolean(rpz_obj))
+			view->rpz_break_dnssec = ISC_TRUE;
+		else
+			view->rpz_break_dnssec = ISC_FALSE;
+
+		rpz_obj = cfg_tuple_get(obj, "max-policy-ttl");
+		if (cfg_obj_isuint32(rpz_obj))
+			ttl_def = cfg_obj_asuint32(rpz_obj);
+		else
+			ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
+
+		rpz_obj = cfg_tuple_get(obj, "min-ns-dots");
+		if (cfg_obj_isuint32(rpz_obj))
+			view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1;
+		else
+			view->rpz_min_ns_labels = 2;
+
+		element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
+		while (element != NULL) {
+			result = configure_rpz(view, element,
+					       recursive_only_def, ttl_def);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			element = cfg_list_next(element);
+		}
+	}
+
 	/*
 	 * Configure the zones.
 	 */
@@ -1811,6 +1855,22 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 				     actx, ISC_FALSE));
 	}
 
+	for (rpz = ISC_LIST_HEAD(view->rpz_zones);
+	     rpz != NULL;
+	     rpz = ISC_LIST_NEXT(rpz, link))
+	{
+		if (!rpz->defined) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			dns_name_format(&rpz->origin, namebuf, sizeof(namebuf));
+			cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+				    "'%s' is not a master or slave zone",
+				    namebuf);
+			result = ISC_R_NOTFOUND;
+			goto cleanup;
+		}
+	}
+
 	/*
 	 * If we're allowing added zones, then load zone configuration
 	 * from the newzone file for zones that were added during previous
@@ -2237,9 +2297,9 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
 	 */
 	max_adb_size = 0;
-	if (max_cache_size != 0) {
+	if (max_cache_size != 0U) {
 		max_adb_size = max_cache_size / 8;
-		if (max_adb_size == 0)
+		if (max_adb_size == 0U)
 			max_adb_size = 1;	/* Force minimum. */
 		if (view != nsc->primaryview &&
 		    max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
@@ -2876,7 +2936,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			 */
 			(void)dns_view_findzone(view, name, &zone);
 			if (zone != NULL) {
-				CHECK(setquerystats(zone, mctx, zonestats_on));
 				dns_zone_detach(&zone);
 				continue;
 			}
@@ -2962,49 +3021,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		}
 	}
 
-	/*
-	 * Make the list of response policy zone names for views that
-	 * are used for real lookups and so care about hints.
-	 */
-	obj = NULL;
-	if (view->rdclass == dns_rdataclass_in && need_hints &&
-	    ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
-		const cfg_obj_t *recursive_only_obj;
-		const cfg_obj_t *break_dnssec_obj, *ttl_obj;
-		isc_boolean_t recursive_only_def;
-		dns_ttl_t ttl_def;
-
-		recursive_only_obj = cfg_tuple_get(obj, "recursive-only");
-		if (!cfg_obj_isvoid(recursive_only_obj) &&
-		    !cfg_obj_asboolean(recursive_only_obj))
-			recursive_only_def = ISC_FALSE;
-		else
-			recursive_only_def = ISC_TRUE;
-
-		break_dnssec_obj = cfg_tuple_get(obj, "break-dnssec");
-		if (!cfg_obj_isvoid(break_dnssec_obj) &&
-		    cfg_obj_asboolean(break_dnssec_obj))
-			view->rpz_break_dnssec = ISC_TRUE;
-		else
-			view->rpz_break_dnssec = ISC_FALSE;
-
-		ttl_obj = cfg_tuple_get(obj, "max-policy-ttl");
-		if (cfg_obj_isuint32(ttl_obj))
-			ttl_def = cfg_obj_asuint32(ttl_obj);
-		else
-			ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
-
-		for (element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
-		     element != NULL;
-		     element = cfg_list_next(element)) {
-			result = configure_rpz(view, element,
-					       recursive_only_def, ttl_def);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			dns_rpz_set_need(ISC_TRUE);
-		}
-	}
-
 	result = ISC_R_SUCCESS;
 
  cleanup:
@@ -3356,6 +3372,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	const char *zname;
 	dns_rdataclass_t zclass;
 	const char *ztypestr;
+	isc_boolean_t is_rpz;
+	dns_rpz_zone_t *rpz;
 
 	options = NULL;
 	(void)cfg_map_get(config, "options", &options);
@@ -3484,6 +3502,21 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	}
 	INSIST(dupzone == NULL);
 
+	/*
+	 * Note whether this is a response policy zone.
+	 */
+	is_rpz = ISC_FALSE;
+	for (rpz = ISC_LIST_HEAD(view->rpz_zones);
+	     rpz != NULL;
+	     rpz = ISC_LIST_NEXT(rpz, link))
+	{
+		if (dns_name_equal(&rpz->origin, origin)) {
+			is_rpz = ISC_TRUE;
+			rpz->defined = ISC_TRUE;
+			break;
+		}
+	}
+
 	/*
 	 * See if we can reuse an existing zone.  This is
 	 * only possible if all of these are true:
@@ -3492,6 +3525,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	 *   - The zone is compatible with the config
 	 *     options (e.g., an existing master zone cannot
 	 *     be reused if the options specify a slave zone)
+	 *   - The zone was and is or was not and is not a policy zone
 	 */
 	result = dns_viewlist_find(&ns_g_server->viewlist,
 				   view->name, view->rdclass,
@@ -3505,6 +3539,9 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	if (zone != NULL && !ns_zone_reusable(zone, zconfig))
 		dns_zone_detach(&zone);
 
+	if (zone != NULL && is_rpz != dns_zone_get_rpz(zone))
+		dns_zone_detach(&zone);
+
 	if (zone != NULL) {
 		/*
 		 * We found a reusable zone.  Make it use the
@@ -3527,6 +3564,19 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		dns_zone_setstats(zone, ns_g_server->zonestats);
 	}
 
+	if (is_rpz) {
+		result = dns_zone_rpz_enable(zone);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "zone '%s': incompatible"
+				      " masterfile-format or database"
+				      " for a response policy zone",
+				      zname);
+			goto cleanup;
+		}
+	}
+
 	/*
 	 * If the zone contains a 'forwarders' statement, configure
 	 * selective forwarding.
@@ -7482,7 +7532,8 @@ ns_server_add_zone(ns_server_t *server, char *args) {
 	CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
 
 	/* Mark view unfrozen so that zone can be added */
-	isc_task_beginexclusive(server->task);
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	dns_view_thaw(view);
 	result = configure_zone(cfg->config, parms, vconfig,
 				server->mctx, view, cfg->actx, ISC_FALSE);

bin/named/statschannel.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -202,6 +202,8 @@ init_desc(void) {
 	SET_NSSTATDESC(updatebadprereq,
 		       "updates rejected due to prerequisite failure",
 		       "UpdateBadPrereq");
+	SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites",
+		       "RPZRewrites");
 	INSIST(i == dns_nsstatscounter_max);
 
 	/* Initialize resolver statistics */

bin/tests/dst/.gitignore

@@ -0,0 +1,16 @@
+randomfile
+Kdh.+002+18602.key
+Kdh.+002+18602.private
+Kdh.+002+48957.key
+Kdh.+002+48957.private
+Ktest.+001+00002.key
+Ktest.+001+54622.key
+Ktest.+001+54622.private
+Ktest.+003+23616.key
+Ktest.+003+23616.private
+Ktest.+003+49667.key
+dst_2_data
+t2_data_1
+t2_data_2
+t2_dsasig
+t2_rsasig

bin/tests/dst/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2006-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006-2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -49,7 +49,7 @@ dst_test@EXEEXT@: dst_test.@O@ ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 		dst_test.@O@ ${LIBS}
 
-t_dst@EXEEXT@: t_dst.@O@ ${DEPLIBS} ${TLIB}
+t_dst@EXEEXT@: t_dst.@O@ ${DEPLIBS} ${TLIB} randomfile
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 		t_dst.@O@ ${TLIB} ${LIBS}
 
@@ -57,9 +57,29 @@ gsstest@EXEEXT@: gsstest.@O@ ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 		gsstest.@O@ ${LIBS}
 
-test: t_dst@EXEEXT@
+test: t_dst@EXEEXT@ randomfile
+	../../tools/genrandom@EXEEXT@ 100 randomfile
+	-@ ./t_dst@EXEEXT@ -q 1800 -a
+
+randomfile:
 	../../tools/genrandom@EXEEXT@ 100 randomfile
-	-@ ./t_dst@EXEEXT@ -b @srcdir@ -q 1800 -a
 
 clean distclean::
 	rm -f ${TARGETS} randomfile
+
+distclean::
+	rm -f Kdh.+002+18602.key
+	rm -f Kdh.+002+18602.private
+	rm -f Kdh.+002+48957.key
+	rm -f Kdh.+002+48957.private
+	rm -f Ktest.+001+00002.key
+	rm -f Ktest.+001+54622.key
+	rm -f Ktest.+001+54622.private
+	rm -f Ktest.+003+23616.key
+	rm -f Ktest.+003+23616.private
+	rm -f Ktest.+003+49667.key
+	rm -f dst_2_data
+	rm -f t2_data_1
+	rm -f t2_data_2
+	rm -f t2_dsasig
+	rm -f t2_rsasig

bin/tests/system/checkzone/tests.sh

@@ -1,4 +1,4 @@
-# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -30,4 +30,14 @@ do
 	status=`expr $status + $ret`
 done
 
+for db in zones/bad*.db
+do
+	echo "I:checking $db ($n)"
+	ret=0
+	$CHECKZONE -i local example $db > test.out.$n 2>&1 && ret=1
+	n=`expr $n + 1`
+	if [ $ret != 0 ]; then echo "I:failed"; fi
+	status=`expr $status + $ret`
+done
+
 exit $status

bin/tests/system/conf.sh.in

@@ -49,6 +49,7 @@ PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p 1234"
 PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234"
 JOURNALPRINT=$TOP/bin/tools/named-journalprint
 ARPANAME=$TOP/bin/tools/arpaname
+SAMPLE=$TOP/lib/export/samples/sample
 
 # The "stress" test is not run by default since it creates enough
 # load on the machine to make it unusable to other users.
@@ -78,4 +79,4 @@ fi
 
 export NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL \
        PERL SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6 \
-       JOURNALPRINT ARPANAME
+       JOURNALPRINT ARPANAME SAMPLE

bin/tests/system/dnssec/clean.sh

@@ -29,6 +29,7 @@ rm -f ns2/single-nsec3.db
 rm -f ns2/nsec3chain-test.db
 rm -f */example.bk
 rm -f dig.out.*
+rm -f sample.out*
 rm -f random.data
 rm -f ns2/dlv.db
 rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db

bin/tests/system/dnssec/ns1/sign.sh

@@ -73,3 +73,8 @@ cp managed.conf ../ns4/managed.conf
 keyid=`expr $keyname : 'K.+001+\(.*\)'`
 keyid=`expr $keyid + 0`
 echo "$keyid" > managed.key.id
+cat $keyname.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print "-a $alg -e -k $dn -K $key\n"
+' > sample.key

bin/tests/system/dnssec/tests.sh

@@ -26,6 +26,7 @@ n=1
 rm -f dig.out.*
 
 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+SAMPLEKEY=`cat ns1/sample.key`
 
 # convert private-type records to readable form
 showprivate () {
@@ -102,6 +103,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking postive validation NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.example > sample.out$n || ret=1
+   grep "a.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   grep "a.example..*.RRSIG.A 3 2 300 .*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive validation NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.example. \
@@ -114,6 +126,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive validation NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.nsec3.example > sample.out$n || ret=1
+   grep "a.nsec3.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   grep "a.nsec3.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.example. \
@@ -126,6 +149,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive validation OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.optout.example > sample.out$n || ret=1
+   grep "a.optout.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   grep "a.optout.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive wildcard validation NSEC ($n)"
 ret=0
 $DIG $DIGOPTS a.wild.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
@@ -137,6 +171,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive wildcard validation NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.example > sample.out$n || ret=1
+   grep "a.wild.example..*10.0.0.27" sample.out$n > /dev/null || ret=1
+   grep "a.wild.example..*RRSIG.A 3 2 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive wildcard answer NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
@@ -148,9 +193,9 @@ status=`expr $status + $ret`
 
 echo "I:checking positive wildcard answer NSEC3 ($n)"
 ret=0
-$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1
-grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@@ -166,6 +211,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive wildcard validation NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.nsec3.example > sample.out$n || ret=1
+   grep "a.wild.nsec3.example..*10.0.0.6" sample.out$n > /dev/null || ret=1
+   grep "a.wild.nsec3.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive wildcard validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS a.wild.optout.example. \
@@ -179,6 +235,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive wildcard validation OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.optout.example > sample.out$n || ret=1
+   grep "a.wild.optout.example..*10.0.0.6" sample.out$n > /dev/null || ret=1
+   grep "a.wild.optout.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NXDOMAIN NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
@@ -190,6 +257,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NXDOMAIN NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NXDOMAIN NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.nsec3.example. \
@@ -203,6 +280,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NXDOMAIN NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NXDOMAIN OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.optout.example. \
@@ -217,6 +304,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NXDOMAIN OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.optout.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NODATA NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
@@ -229,6 +326,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NODATA NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.example. \
@@ -243,6 +350,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NODATA NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NODATA OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.example. \
@@ -257,6 +374,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.optout.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative wildcard validation NSEC ($n)"
 ret=0
 $DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
@@ -268,6 +395,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative wildcard validation NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.wild.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative wildcard validation NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
@@ -278,6 +415,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative wildcard validation NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.wild.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative wildcard validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS b.wild.optout.example. \
@@ -292,6 +439,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative wildcard validation OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.optout.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 # Check the insecure.example domain
 
 echo "I:checking 1-server insecurity proof NSEC ($n)"
@@ -306,6 +463,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server insecurity proof NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.example > sample.out$n || ret=1
+   grep "a.insecure.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server insecurity proof NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
@@ -318,6 +485,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server insecurity proof NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.nsec3.example > sample.out$n || ret=1
+   grep "a.insecure.nsec3.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server insecurity proof OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
@@ -330,6 +507,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server insecurity proof OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.optout.example > sample.out$n || ret=1
+   grep "a.insecure.optout.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof NSEC ($n)"
 ret=0
 $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
@@ -344,6 +531,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server negative insecurity proof NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.3 \
@@ -358,6 +555,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server negative insecurity proof NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.3 \
@@ -372,6 +579,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server negative insecurity proof OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.optout.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof with SOA hack NSEC ($n)"
 ret=0
 $DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \
@@ -559,6 +776,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking failed validation using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.bogus.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: no valid RRSIG" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 # Try validating with a bad trusted key.
 # This should fail.
 
@@ -594,6 +821,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking that validation fails when key record is missing using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.b.keyless.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: broken trust chain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
 ret=0
 #prime
@@ -1434,7 +1671,7 @@ echo "I:testing legacy upper case signer name validation ($n)"
 ret=0
 $DIG +tcp +dnssec -p 5300 +noadd +noauth soa upper.example @10.53.0.4 \
         > dig.out.ns4.test$n 2>&1
-grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1
+grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1
 grep 'RRSIG.*SOA.* UPPER\.EXAMPLE\. ' dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -1444,7 +1681,7 @@ echo "I:testing that we lower case signer name ($n)"
 ret=0
 $DIG +tcp +dnssec -p 5300 +noadd +noauth soa LOWER.EXAMPLE @10.53.0.4 \
         > dig.out.ns4.test$n 2>&1
-grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1
+grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1
 grep 'RRSIG.*SOA.* lower\.example\. ' dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi

bin/tests/system/genzone.sh

@@ -283,6 +283,10 @@ l64			L64	10 0014:4fff:ff20:ee64
 
 lp			LP	10 example.net.
 
+eui48			EUI48	01-23-45-67-89-ab
+
+eui64			EUI64	01-23-45-67-89-ab-cd-ef
+
 ; type 255
 ; TSIG is a meta-type and should never occur in master files.
 EOF

bin/tests/system/ifconfig.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007-2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any

bin/tests/system/lwresd/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2008, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -21,3 +21,4 @@
 #
 rm -f */named.memstats
 rm -f dig.out
+rm -f lwresd1/lwresd.run.resolv

bin/tests/system/lwresd/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -40,6 +40,11 @@ status=`expr $status + $ret`
 
 echo "I:using resolv.conf"
 ret=0
+for i in 0 1 2 3 4 5 6 7 8 9 
+do
+	grep ' running$' lwresd1/lwresd.run > /dev/null && break
+	sleep 1
+done
 ./lwtest || ret=1
 if [ $ret != 0 ]; then
 	echo "I:failed"
@@ -48,11 +53,17 @@ status=`expr $status + $ret`
 
 $PERL $SYSTEMTESTTOP/stop.pl . lwresd1
 
+mv lwresd1/lwresd.run lwresd1/lwresd.run.resolv
+
 $PERL $SYSTEMTESTTOP/start.pl . lwresd1 -- "-m record,size,mctx -c lwresd.conf -d 99 -g"
 
 echo "I:using lwresd.conf"
 ret=0
-sleep 1 # allow lwresd to finish starting.
+for i in 0 1 2 3 4 5 6 7 8 9 
+do
+	grep ' running$' lwresd1/lwresd.run > /dev/null && break
+	sleep 1
+done
 ./lwtest || ret=1
 if [ $ret != 0 ]; then
 	echo "I:failed"

bin/tests/system/masterformat/ns2/named.conf

@@ -24,6 +24,7 @@ options {
 	pid-file "named.pid";
 	listen-on port 5300 { 10.53.0.2; };
 	listen-on-v6 { none; };
+	port 5300;
 	recursion no;
 	notify no;
 	dnssec-enable yes;

bin/tests/system/masterformat/setup.sh

@@ -1,4 +1,4 @@
-# Copyright (C) 2005-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2005-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,9 +12,14 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
-
+rm -f named-compilezone
 ln -s $CHECKZONE named-compilezone
 rm -f ns1/example.db.raw
 cp ns1/example.db ns2/
+cp ns1/large.db.in ns1/large.db
+awk 'END {
+	 for (i = 0; i < 512; i++ ) { print "a TXT", i; }
+	 for (i = 0; i < 1024; i++ ) { print "b TXT", i; }
+	 for (i = 0; i < 2000; i++ ) { print "c TXT", i; }
+}' < /dev/null >> ns1/large.db
 cd ns1 && sh compile.sh

bin/tests/system/masterformat/tests.sh

@@ -1,46 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-DIGOPTS="+tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd"
-
-status=0
-
-echo "I:checking that master file in the raw format worked"
-
-for server in 1 2
-do
-	for name in ns mx a aaaa cname dname txt rrsig nsec dnskey ds
-	do
-		$DIG $DIGOPTS $name.example. $name @10.53.0.$server -p 5300
-		echo
-	done > dig.out.$server
-done
-
-diff dig.out.1 dig.out.2 || status=1
-
-echo "I:exit status: $status"
-exit $status
-#!/bin/sh
-#
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2005, 2007, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -54,8 +14,6 @@ exit $status
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
-
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 

bin/tests/system/nsupdate/tests.sh

@@ -222,6 +222,16 @@ $DIG +tcp version.bind txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n
 grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo I:failed; status=1; }
 
+n=`expr $n + 1`
+echo "I:check that address family mismatch is handled ($n)"
+$NSUPDATE <<END > /dev/null 2>&1 && ret=1
+server ::1
+local 127.0.0.1
+update add 600 txt.example.nil in txt "test"
+send
+END
+[ $ret = 0 ] || { echo I:failed; status=1; }
+
 if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
     echo "I:running update.pl test"

bin/tests/system/resolver/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2008-2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -31,3 +31,4 @@ rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl
 rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
 rm -f ns7/server.db ns7/server.db.jnl
 rm -f random.data
+rm -f sample.out

bin/tests/system/resolver/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -30,17 +30,44 @@ grep "status: NXDOMAIN" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+echo "I:checking non-cachable NXDOMAIN response handling using dns_client"
+   ret=0
+   ${SAMPLE} -p 5300 -t a 10.53.0.1 nxdomain.example.net 2> sample.out || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out > /dev/null || ret=1
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking non-cachable NODATA response handling"
 ret=0
 $DIG +tcp nodata.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
 grep "status: NOERROR" dig.out > /dev/null || ret=1
-
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
+
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking non-cachable NODATA response handling using dns_client"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 nodata.example.net 2> sample.out || ret=1
+    grep "resolution failed: ncache nxrrset" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking handling of bogus referrals"
 # If the server has the "INSIST(!external)" bug, this query will kill it.
 $DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking handling of bogus referrals using dns_client"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 www.example.com 2> sample.out || ret=1
+    grep "resolution failed: failure" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:check handling of cname + other data / 1"
 $DIG +tcp cname1.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1
 
@@ -71,6 +98,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking answer IPv4 address filtering using dns_client (accept)"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 www.example.org > sample.out || ret=1
+    grep "www.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking answer IPv6 address filtering (accept)"
 ret=0
 $DIG +tcp www.example.org @10.53.0.1 aaaa -p 5300 > dig.out || ret=1
@@ -78,6 +115,15 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking answer IPv6 address filtering using dns_client (accept)"
+    ret=0
+    ${SAMPLE} -p 5300 -t aaaa 10.53.0.1 www.example.org > sample.out || ret=1
+    grep "www.example.org..*.2001:db8:beef::1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking CNAME target filtering (deny)"
 ret=0
 $DIG +tcp badcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
@@ -92,6 +138,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking CNAME target filtering using dns_client (accept)"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 goodcname.example.net > sample.out || ret=1
+    grep "goodcname.example.net..*.goodcname.example.org." sample.out > /dev/null || ret=1
+    grep "goodcname.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking CNAME target filtering (accept due to subdomain)"
 ret=0
 $DIG +tcp cname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
@@ -99,6 +155,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking CNAME target filtering using dns_client (accept due to subdomain)"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 cname.sub.example.org > sample.out || ret=1
+    grep "cname.sub.example.org..*.ok.sub.example.org." sample.out > /dev/null || ret=1
+    grep "ok.sub.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking DNAME target filtering (deny)"
 ret=0
 $DIG +tcp foo.baddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
@@ -113,6 +179,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking DNAME target filtering using dns_client (accept)"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 foo.gooddname.example.net > sample.out || ret=1
+    grep "foo.gooddname.example.net..*.gooddname.example.org" sample.out > /dev/null || ret=1
+    grep "foo.gooddname.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking DNAME target filtering (accept due to subdomain)"
 ret=0
 $DIG +tcp www.dname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
@@ -120,6 +196,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking DNAME target filtering using dns_client (accept due to subdomain)"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 www.dname.sub.example.org > sample.out || ret=1
+    grep "www.dname.sub.example.org..*.ok.sub.example.org." sample.out > /dev/null || ret=1
+    grep "www.ok.sub.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 n=`expr $n + 1`
 echo "I: RT21594 regression test check setup ($n)"
 ret=0

bin/tests/system/rpz/Makefile.in

@@ -1,4 +1,4 @@
-# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3 2011-01-13 04:59:24 tbox Exp $
+# $Id$
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@

bin/tests/system/rpz/clean.sh

@@ -1,4 +1,4 @@
-# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,11 +14,10 @@
 
 # $Id$
 
-
 # Clean up after rpz tests.
 
-rm -f proto.*  dsset-* random.data trusted.conf dig.out* nsupdate.tmp ns*/*tmp
+rm -f proto.* dsset-* random.data trusted.conf dig.out* nsupdate.tmp ns*/*tmp
 rm -f ns*/*.key ns*/*.private ns2/tld2s.db
 rm -f ns3/bl*.db ns*/*switch ns5/requests ns5/example.db ns5/bl.db ns5/*.perf
-rm -f */named.memstats */named.run */named.rpz */session.key
+rm -f */named.memstats */named.run */named.stats */session.key
 rm -f */*.jnl */*.core */*.pid

bin/tests/system/rpz/ns1/named.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/tests/system/rpz/ns1/root.db

@@ -1,4 +1,4 @@
-; Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -15,10 +15,9 @@
 ; $Id$
 
 $TTL	120
-@		SOA	ns. hostmaster.ns. ( 1 3600 1200 604800 60 )
-@		NS	ns.
+.		SOA	ns. hostmaster.ns. ( 1 3600 1200 604800 60 )
+		NS	ns.
 ns.		A	10.53.0.1
-.		A	10.53.0.1
 
 ; rewrite responses from this zone
 tld2.		NS	ns.tld2.
@@ -34,3 +33,7 @@ ns.tld3.	A	10.53.0.3
 ; rewrite responses from this zone
 tld4.		NS	ns.tld4.
 ns.tld4.	A	10.53.0.4
+
+; performance test
+tld5.		NS	ns.tld5.
+ns.tld5.	A	10.53.0.5

bin/tests/system/rpz/ns2/base-tld2s.db

@@ -1,4 +1,4 @@
-; Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,8 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: base-tld2s.db,v 1.1.2.1 2012/02/24 17:22:37 vjs Exp $
+; $Id$
+
 
 
 ; RPZ rewrite responses from this signed zone

bin/tests/system/rpz/ns2/hints

@@ -1,4 +1,4 @@
-; Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +14,5 @@
 
 ; $Id$
 
-
-.	0	NS	ns1.
-ns1.	0	A	10.53.0.1
+.	120	NS	ns.
+ns.	120	A	10.53.0.1

bin/tests/system/rpz/ns2/named.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/tests/system/rpz/ns2/tld2.db

@@ -1,4 +1,4 @@
-; Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above

bin/tests/system/rpz/ns3/base.db

@@ -1,4 +1,4 @@
-; Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,6 @@
 
 ; $Id$
 
-
 ; RPZ test
 ;   This basic file is copied to several zone files before being used.
 ;   Its contents are also changed with nsupdate
@@ -40,3 +39,10 @@ ns	A	10.53.0.3
 redirect	A       127.0.0.1
 *.redirect	A       127.0.0.1
 *.credirect	CNAME   google.com.
+
+
+; names in the RPZ TLDs that some say should not be rewritten.
+; This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
+; (or whatever) is available by publishing "foo A 10.2.3.4" and then
+; resolving foo.
+32.3.2.1.127.rpz-ip					CNAME	walled.invalid.

bin/tests/system/rpz/ns3/crash1

@@ -1,4 +1,4 @@
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -12,8 +12,6 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id$
-
 ; a bad zone that caused a crash related to dns_rdataset_disassociate()
 
 $TTL	120

bin/tests/system/rpz/ns3/crash2

@@ -1,4 +1,4 @@
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -12,8 +12,6 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id$
-
 ; a valid zone containing records that caused crashes
 
 $TTL	120

bin/tests/system/rpz/ns3/hints

@@ -1,4 +1,4 @@
-; Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +14,5 @@
 
 ; $Id$
 
-
-.	0	NS	ns1.
-ns1.	0	A	10.53.0.1
+.	120	NS	ns.
+ns.	120	A	10.53.0.1

bin/tests/system/rpz/ns3/named.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -27,6 +27,7 @@ options {
 	transfer-source 10.53.0.3;
 	port 5300;
 	pid-file "named.pid";
+	statistics-file	"named.stats";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
@@ -44,7 +45,7 @@ options {
 	    zone "bl-cname"	policy cname txt-only.tld2.;
 	    zone "bl-wildcname"	policy cname *.tld4.;
 	    zone "bl-garden"	policy cname a12.tld2.;
-	};
+	} min-ns-dots 0;
 };
 
 key rndc_key {
@@ -55,17 +56,6 @@ controls {
 	inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
 };
 
-logging {
-	# change "-c named.conf -d 99 -g" to "-c named.conf -d 99 -f"
-	#   in ../start.pl to check the rpz log category
-	channel rpz { severity debug 10;
-		print-category yes; print-time yes; print-severity yes;
-		file "named.rpz";};
-	category rpz { default_stderr; rpz; };
-	category queries { default_stderr; rpz; };
-	category query-errors { default_stderr; };
-};
-
 
 // include "../trusted.conf";
 zone "." { type hint; file "hints"; };

bin/tests/system/rpz/ns4/hints

@@ -1,4 +1,4 @@
-; Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -14,5 +14,5 @@
 
 ; $Id$
 
-.	0	NS	ns1.
-ns1.	0	A	10.53.0.1
+.	120	NS	ns.
+ns.	120	A	10.53.0.1

bin/tests/system/rpz/ns4/named.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/tests/system/rpz/ns4/tld4.db

@@ -1,4 +1,4 @@
-; Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above

bin/tests/system/rpz/ns5/hints

@@ -1,4 +1,4 @@
-; Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +14,5 @@
 
 ; $Id$
 
-
-.	0	NS	ns1.
-ns1.	0	A	10.53.0.1
+.	120	NS	ns.
+ns.	120	A	10.53.0.1

bin/tests/system/rpz/ns5/named.args

@@ -0,0 +1,3 @@
+# run the performace test close to real life
+
+-c named.conf -g

bin/tests/system/rpz/ns5/named.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,6 @@
 
 /* $Id$ */
 
-
 /*
  * Test rpz performance.
  */
@@ -27,12 +26,13 @@ options {
 	transfer-source 10.53.0.5;
 	port 5300;
 	pid-file "named.pid";
+	statistics-file "named.stats";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	notify no;
 
-	# Eventually turn rpz on.
+	# turn rpz on or off
 	include "rpz-switch";
 };
 
@@ -40,12 +40,17 @@ key rndc_key {
 	secret "1234abcd8765";
 	algorithm hmac-md5;
 };
-controls { inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; };
+controls {
+	inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
+};
 
 
 include "../trusted.conf";
 zone "."		{type hint; file "hints"; };
 
-zone "example.com."	{type master; file "example.db"; };
+zone "tld5."		{type master; file "tld5.db"; };
+zone "example.tld5."	{type master; file "example.db"; };
 
-zone "bl."		{type master; file "bl.db"; };
+zone "bl0."		{type master; file "bl.db"; };
+zone "bl1."		{type master; file "bl.db"; };
+zone "bl2."		{type master; file "bl.db"; };

bin/tests/system/rpz/ns5/tld5.db

@@ -0,0 +1,67 @@
+; Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+
+
+; RPZ preformance test
+
+$TTL	120
+@	SOA	.  hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
+	NS	ns
+	NS	ns1
+	NS	ns2
+	NS	ns3
+	NS	ns4
+	NS	ns5
+	NS	ns6
+	NS	ns7
+	NS	ns8
+	NS	ns9
+	NS	ns10
+	NS	ns11
+	NS	ns12
+	NS	ns13
+	NS	ns14
+	NS	ns15
+	NS	ns16
+	NS	ns17
+	NS	ns18
+	NS	ns19
+ns	A	10.53.0.5
+ns1	A	10.53.0.5
+ns2	A	10.53.0.5
+ns3	A	10.53.0.5
+ns4	A	10.53.0.5
+ns5	A	10.53.0.5
+ns6	A	10.53.0.5
+ns7	A	10.53.0.5
+ns8	A	10.53.0.5
+ns9	A	10.53.0.5
+ns10	A	10.53.0.5
+ns11	A	10.53.0.5
+ns12	A	10.53.0.5
+ns13	A	10.53.0.5
+ns14	A	10.53.0.5
+ns15	A	10.53.0.5
+ns16	A	10.53.0.5
+ns17	A	10.53.0.5
+ns18	A	10.53.0.5
+ns19	A	10.53.0.5
+
+
+$ORIGIN	example.tld5.
+example.tld5.	NS	ns
+		NS	ns1
+ns		A	10.53.0.5
+ns1		A	10.53.0.5

bin/tests/system/rpz/qperf.sh

@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,8 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: qperf.sh,v 1.1.2.1 2011/10/15 23:03:37 vjs Exp $
+# $Id$
+
 
 for QDIR in `echo "$PATH" | tr : ' '` ../../../../contrib/queryperf; do
     QPERF=$QDIR/queryperf

bin/tests/system/rpz/rpz.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

bin/tests/system/rpz/setup.sh

@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -48,19 +48,22 @@ signzone ns2 tld2s. base-tld2s.db tld2s.db
 
 
 # Performance checks.
-# First with rpz off.
 cat <<EOF >ns5/rpz-switch
-response-policy {zone "bl";}
-    recursive-only no
-    max-policy-ttl 90
-    break-dnssec yes;
+response-policy {
+	zone "bl0"; zone "bl1"; zone "bl2";
+    } recursive-only no
+	max-policy-ttl 90
+	# min-ns-dots 0
+	break-dnssec yes;
 EOF
 
 cat <<EOF >ns5/example.db
 \$TTL	120
-@	SOA	.  hostmaster.ns.example. ( 1 3600 1200 604800 60 )
+@	SOA	.  hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
 	NS	ns
+	NS	ns1
 ns	A	10.53.0.5
+ns1	A	10.53.0.5
 EOF
 
 cat <<EOF >ns5/bl.db
@@ -71,31 +74,26 @@ ns		A	10.53.0.5
 
 ; used only in failure for "recursive-only no" in #8 test5
 a3-5.tld2	CNAME	*.
-; for "break-dnssec" in #9 test5
+; for "break-dnssec" in #9 & #10 test5
 a3-5.tld2s	CNAME	*.
-; for "max-policy-ttl 90" in test5
+; for "max-policy-ttl 90" in #17 test5
 a3-17.tld2	500 A	17.17.17.17
 
-; dummy NSDNAME policies to trigger lookups
-ns-1.example.com.rpz-nsdname	CNAME	.
-ns-2.example.com.rpz-nsdname	CNAME	.
-ns-3.example.com.rpz-nsdname	CNAME	.
-ns-4.example.com.rpz-nsdname	CNAME	.
-ns-5.example.com.rpz-nsdname	CNAME	.
+; dummy NSDNAME policy to trigger lookups
+ns1.x.rpz-nsdname	CNAME	.
 EOF
 
 if test -n "$QPERF"; then
     # do not build the full zones if we will not use them to avoid the long
     # time otherwise required to shut down the server
     $PERL -e 'for ($val = 1; $val <= 65535; ++$val) {
-	printf("host-%d-%d\tA    192.168.%d.%d\n",
-		$val/256, $val%256, $val/256, $val%256);
+	printf("host-%05d\tA    192.168.%d.%d\n", $val, $val/256, $val%256);
 	}' >>ns5/example.db
 
     echo >>ns5/bl.db
     echo "; rewrite some names" >>ns5/bl.db
     $PERL -e 'for ($val = 2; $val <= 65535; $val += 69) {
-	printf("host-%d.sub%d.example.com\tCNAME\t.\n", $val/256, $val%256);
+	printf("host-%05d.example.tld5\tCNAME\t.\n", $val);
 	}' >>ns5/bl.db
 
     echo >>ns5/bl.db
@@ -103,13 +101,11 @@ if test -n "$QPERF"; then
     $PERL -e 'for ($val = 3; $val <= 65535; $val += 69) {
 	printf("32.%d.%d.168.192.rpz-ip  \tCNAME\t.\n",
 		$val%256, $val/256);
-	printf("32.%d.%d.168.192.rpz-nsip\tCNAME\t.\n",
-		($val+1)%256, ($val+1)/256);
 	}' >>ns5/bl.db
 fi
 
 # some psuedo-random queryperf requests
-$PERL -e 'for ($cnt = $val = 1; $cnt <= 2000; ++$cnt) {
-	printf("host-%d.sub%d.example.com A\n", $val%256, $val/256);
-		$val = ($val * 9 + 32771) % 65536;
+$PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {
+	printf("host-%05d.example.tld5 A\n", $val);
+	$val = ($val * 9 + 32771) % 65536;
 	}' >ns5/requests

bin/tests/system/rpz/test1

@@ -1,4 +1,4 @@
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -12,9 +12,6 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id$
-
-
 ; Use comment lines instead of blank lines to combine update requests into
 ;	single requests
 ; Separate update requests for distinct TLDs with blank lines or 'send'
@@ -31,7 +28,7 @@ update add  a0-1.tld2.bl.	300 CNAME .
 ;	3, 21
 update add  a3-1.tld2.bl.	300 CNAME *.
 ; and no assert-botch
-;	5, 22
+;	4, 5, 22, 23
 update add  a3-2.tld2.bl.	300 DNAME example.com.
 ;
 ; NXDOMAIN for a4-2-cname.tld2 via its target a4-2.tld2.

bin/tests/system/rpz/test2

@@ -1,4 +1,4 @@
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -12,9 +12,6 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id$
-
-
 ; Use comment lines instead of blank lines to combine update requests into
 ;	single requests
 ; Separate update requests for distinct TLDs with blank lines or 'send'
@@ -45,7 +42,7 @@ update add  32.3.4.168.192.rpz-ip.bl	300 CNAME *.
 ;	9
 update add  128.1.zz.3.2.2001.rpz-ip.bl	300 CNAME .
 ;
-; apply the policy with the lexically smallest address of 192.168.5.1
+; apply the policy with the lexically smaller trigger address of 192.168.5.1
 ; to an RRset of more than one A RR
 ;	11
 update add  32.1.5.168.192.rpz-ip.bl	300 A	127.0.0.1

bin/tests/system/rpz/test3

@@ -1,4 +1,4 @@
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -12,9 +12,6 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id$
-
-
 ; Use comment lines instead of blank lines to combine update requests into
 ;	single requests
 ; Separate update requests for distinct TLDs with blank lines or 'send'
@@ -24,20 +21,24 @@
 
 server 10.53.0.3 5300
 
+;	3, 4, 5
 ; NXDOMAIN for *.sub1.tld2 by NSDNAME
 update add  *.sub1.tld2.rpz-nsdname.bl.	300 CNAME .
 ;
+;	6
 ; walled garden for *.sub2.tld2
 update add  *.sub2.tld2.rpz-nsdname.bl.	300 CNAME a12-cname.tld2.
 ;
+;	7, 8
 ; exempt a3-2.tld2 and anything in 192.168.0.0/24
 ;   also checks that IP policies are preferred over NSDNAME policies
 update add  a3-2.tld2.bl		300 CNAME a3-2.tld2.
 update add  24.0.0.168.192.rpz-ip.bl	300 CNAME 24.0.0.168.192.
 ;
+;	9
 ; prefer QNAME policy to NSDNAME policy
 update add  a4-1.tld2.bl.		300 A 12.12.12.12
-;
+;	10
 ; prefer policy for largest NS name
 update add  ns.sub3.tld2.rpz-nsdname.bl.	300 A	127.0.0.1
 update add  ns.subsub.sub3.tld2.rpz-nsdname.bl. 300 A	127.0.0.2

bin/tests/system/rpz/test4

@@ -1,4 +1,4 @@
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -12,9 +12,6 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id$
-
-
 ; Use comment lines instead of blank lines to combine update requests into
 ;	single requests
 ; Separate update requests for distinct TLDs with blank lines or 'send'

bin/tests/system/rpz/test4a

@@ -0,0 +1,30 @@
+; Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+
+
+; Use comment lines instead of blank lines to combine update requests into
+;	single requests
+; Separate update requests for distinct TLDs with blank lines or 'send'
+; End the file with a blank line or 'send'
+
+; walled-garden NSIP tests
+
+server 10.53.0.3 5300
+
+; rewrite all of tld2 based on its server IP address
+update add  32.2.0.53.10.rpz-nsip.bl.	300 A	    41.41.41.41
+update add  32.2.0.53.10.rpz-nsip.bl.	300 AAAA    2041::41
+update add  32.2.0.53.10.rpz-nsip.bl.	300 TXT	    "NSIP walled garden"
+send

bin/tests/system/rpz/test5

@@ -1,4 +1,4 @@
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -12,9 +12,6 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id$
-
-
 ; Use comment lines instead of blank lines to combine update requests into
 ;	single requests
 ; Separate update requests for distinct TLDs with blank lines or 'send'

bin/tests/system/rpz/tests.sh

@@ -1,4 +1,4 @@
-# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,8 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.12 2012/01/07 23:46:53 tbox Exp $
+# $Id$
+
 
 # test response policy zones (RPZ)
 
@@ -27,6 +28,8 @@ ns4=$ns.4			    # another server that is rewritten
 ns5=$ns.5			    # check performance with this server
 
 HAVE_CORE=
+SAVE_RESULTS=
+NS3_STATS=47
 
 USAGE="$0: [-x]"
 while getopts "x" c; do
@@ -43,11 +46,18 @@ fi
 # really quit on control-C
 trap 'exit 1' 1 2 15
 
+TS='%H:%M:%S '
+TS=
+comment () {
+    if test -n "$TS"; then
+	date "+I:${TS}$*"
+    fi
+}
 
 RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s"
 
 digcmd () {
-    digcmd_args="+noadd +nosearch +time=1 +tries=1 -p 5300 $*"
+    digcmd_args="+noadd +time=1 +tries=1 -p 5300 $*"
     expr "$digcmd_args" : '.*@' >/dev/null || \
 	digcmd_args="$digcmd_args @$ns3"
     expr "$digcmd_args" : '.*+[no]*auth' >/dev/null || \
@@ -70,16 +80,17 @@ make_dignm () {
 
 setret () {
     ret=1
+    status=`expr $status + 1`
     echo "$*"
 }
 
 # (re)load the reponse policy zones with the rules in the file $TEST_FILE
 load_db () {
     if test -n "$TEST_FILE"; then
-	if $NSUPDATE -v $TEST_FILE; then : ; else
+	$NSUPDATE -v $TEST_FILE || {
 	    echo "I:failed to update policy zone with $TEST_FILE"
 	    exit 1
-	fi
+	}
     fi
 }
 
@@ -122,10 +133,21 @@ ckalive () {
     return 1
 }
 
+# check that statistics for $1 in $2 = $3
+ckstats () {
+    $RNDCCMD $1 stats
+    CNT=`sed -n -e 's/[	 ]*\([0-9]*\).response policy.*/\1/p'  \
+		    $2/named.stats`
+    CNT=`expr 0$CNT + 0`
+    if test "$CNT" -ne $3; then
+	setret "I:wrong $2 statistics of $CNT instead of $3"
+    fi
+}
+
 # $1=message  $2=optional test file name
 start_group () {
     ret=0
-    test -n "$1" && echo "I:checking $1"
+    test -n "$1" && date "+I:${TS}checking $1"
     TEST_FILE=$2
     if test -n "$TEST_FILE"; then
 	GROUP_NM="-$TEST_FILE"
@@ -138,33 +160,25 @@ start_group () {
 
 end_group () {
     if test -n "$TEST_FILE"; then
+	# remove the previous set of test rules
 	sed -e 's/[	 ]add[	 ]/ delete /' $TEST_FILE | $NSUPDATE
 	TEST_FILE=
     fi
     ckalive $ns3 "I:failed; ns3 server crashed and restarted"
-    if test "$status" -eq 0; then
-	# look for complaints from rpz.c
-	EMSGS=`grep -l 'invalid rpz' */*.run`
-	if test -n "$EMSGS"; then
-	    setret "I:'invalid rpz' complaints in $EMSGS starting with:"
-	    grep 'invalid rpz' */*.run | sed -e '4,$d' -e 's/^/I:    /'
-	fi
-	# look for complaints from rpz.c and query.c
-	EMSGS=`grep -l 'rpz .*failed' */*.run`
-	if test -n "$EMSGS"; then
-	    setret "I:'rpz failed' complaints in $EMSGS starting with:"
-	    grep 'rpz .*failed' */*.run | sed -e '4,$d' -e 's/^/I:    /'
-	fi
-    fi
-    status=`expr $status + $ret`
     GROUP_NM=
 }
 
+clean_result () {
+    if test -z "$SAVE_RESULTS"; then
+	rm -f $*
+    fi
+}
+
 # $1=dig args $2=other dig output file
 ckresult () {
     #ckalive "$1" "I:server crashed by 'dig $1'" || return 1
     if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then
-	rm -f ${DIGNM}*
+	clean_result ${DIGNM}*
 	return 0
     fi
     setret "I:'dig $1' wrong; diff $DIGNM $2"
@@ -208,7 +222,7 @@ addr () {
     digcmd $2 >$DIGNM
     #ckalive "$2" "I:server crashed by 'dig $2'" || return 1
     ADDR_ESC=`echo "$ADDR" | sed -e 's/\./\\\\./g'`
-    ADDR_TTL=`sed -n -e  "s/^[-.a-z0-9]\{1,\}	*\([0-9]*\)	IN	A\{1,4\}	${ADDR_ESC}\$/\1/p" $DIGNM`
+    ADDR_TTL=`sed -n -e "s/^[-.a-z0-9]\{1,\}	*\([0-9]*\)	IN	AA*	${ADDR_ESC}\$/\1/p" $DIGNM`
     if test -z "$ADDR_TTL"; then
 	setret "I:'dig $2' wrong; no address $ADDR record in $DIGNM"
 	return 1
@@ -217,7 +231,7 @@ addr () {
 	setret "I:'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM"
 	return 1
     fi
-    rm -f ${DIGNM}*
+    clean_result ${DIGNM}*
 }
 
 # check that a response is not rewritten
@@ -226,7 +240,7 @@ nochange () {
     make_dignm
     digcmd $* >$DIGNM
     digcmd $* @$ns2 >${DIGNM}_OK
-    ckresult "$*" ${DIGNM}_OK && rm -f ${DIGNM}_OK
+    ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK
 }
 
 # check against a 'here document'
@@ -248,8 +262,8 @@ start_group "QNAME rewrites" test1
 nochange .				# 1 do not crash or rewrite root
 nxdomain a0-1.tld2			# 2
 nodata a3-1.tld2			# 3
-nodata a3-2.tld2			# 4 no crash on DNAME
-nodata sub.a3-2.tld2
+nodata a3-2.tld2			# 4 nodata at DNAME itself
+nochange sub.a3-2.tld2			# 5 miss where DNAME might work
 nxdomain a4-2.tld2			# 6 rewrite based on CNAME target
 nxdomain a4-2-cname.tld2		# 7
 nodata a4-3-cname.tld2			# 8
@@ -313,8 +327,9 @@ nochange a5-1-2.tld2
 end_group
 
 if ./rpz nsdname; then
+    # these tests assume "min-ns-dots 0"
     start_group "NSDNAME rewrites" test3
-    nochange a3-1.tld2
+    nochange a3-1.tld2			# 1
     nochange a3-1.tld2	    +dnssec	# 2 this once caused problems
     nxdomain a3-1.sub1.tld2		# 3 NXDOMAIN *.sub1.tld2 by NSDNAME
     nxdomain a3-1.subsub.sub1.tld2
@@ -327,19 +342,31 @@ if ./rpz nsdname; then
     addr 127.0.0.2 a3-1.subsub.sub3.tld2
     nxdomain xxx.crash1.tld2		# 12 dns_db_detachnode() crash
     end_group
+    NS3_STATS=`expr $NS3_STATS + 7`
 else
-    echo "I:NSDNAME not checked; named not configured with --enable-rpz-nsdname"
+    echo "I:NSDNAME not checked; named configured with --disable-rpz-nsdname"
 fi
 
 if ./rpz nsip; then
+    # these tests assume "min-ns-dots 0"
     start_group "NSIP rewrites" test4
-    nxdomain a3-1.tld2			# 1 NXDOMAIN for all of tld2 by NSIP
+    nxdomain a3-1.tld2			# 1 NXDOMAIN for all of tld2
     nochange a3-2.tld2.			# 2 exempt rewrite by name
     nochange a0-1.tld2.			# 3 exempt rewrite by address block
     nochange a3-1.tld4			# 4 different NS IP address
     end_group
+
+#    start_group "walled garden NSIP rewrites" test4a
+#    addr 41.41.41.41 a3-1.tld2		# 1 walled garden for all of tld2
+#    addr 2041::41   'a3-1.tld2 AAAA'	# 2 walled garden for all of tld2
+#    here a3-1.tld2 TXT <<'EOF'		# 3 text message for all of tld2
+#    ;; status: NOERROR, x
+#    a3-1.tld2.	    x	IN	TXT   "NSIP walled garden"
+#EOF
+#    end_group
+    NS3_STATS=`expr $NS3_STATS + 1`
 else
-    echo "I:NSIP not checked; named not configured with --enable-rpz-nsip"
+    echo "I:NSIP not checked; named configured with --disable-rpz-nsip"
 fi
 
 # policies in ./test5 overridden by response-policy{} in ns3/named.conf
@@ -377,6 +404,11 @@ for Q in RRSIG SIG ANY 'ANY +dnssec'; do
     nocrash www.redirect -t$Q
     nocrash www.credirect -t$Q
 done
+
+# This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
+# (or whatever) is available by publishing "foo A 10.2.3.4" and then
+# resolving foo.
+# nxdomain 32.3.2.1.127.rpz-ip
 end_group
 
 
@@ -384,55 +416,56 @@ end_group
 QPERF=`sh qperf.sh`
 if test -n "$QPERF"; then
     perf () {
-	echo "I:checking performance $1"
-	# don't measure the costs of -d99
-	$RNDCCMD $ns5 notrace >/dev/null
-	$QPERF -1 -l2 -d ns5/requests -s $ns5 -p 5300 >ns5/$2.perf
+	date "+I:${TS}checking performance $1"
+	# Dry run to prime everything
+	comment "before dry run $1"
+	$QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p 5300 >/dev/null
+	comment "before real test $1"
+	PFILE="ns5/$2.perf"
+	$QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p 5300 >$PFILE
+	comment "after test $1"
+	X=`sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \
+		| tr '\n' ' '`
+	if test "$X" != "$3"; then
+	    setret "I:wrong results '$X' in $PFILE"
+	fi
 	ckalive $ns5 "I:failed; server #5 crashed"
     }
     trim () {
 	sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf
     }
 
-    # Dry run to prime disk cache
-    #	Otherwise a first test of either flavor is 25% low
-    perf 'to prime disk cache' rpz
-
-    # get queries/second with rpz
-    perf 'with rpz' rpz
-
-    # turn off rpz and measure queries/second again
-    # Don't wait for a clean stop.  Clean stops of this server need seconds
-    # until the sockets are closed.  5 or 10 seconds after that, the
-    # server really stops and deletes named.pid.
-    echo "# rpz off" >ns5/rpz-switch
-    PID=`cat ns5/named.pid`
-    test -z "$PID" || kill -9 "$PID"
-    $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5
-    perf 'without rpz' norpz
-
-    # Don't wait for a clean stop.  Clean stops of this server need seconds
-    # until the sockets are closed.  5 or 10 seconds after that, the
-    # server really stops and deletes named.pid.
-    echo "# rpz off" >ns5/rpz-switch
-    PID=`cat ns5/named.pid`
-    test -z "$PID" || kill -9 "$PID" && rm -f ns5/named.pid
-
-    NORPZ=`trim norpz`
+    # get qps with rpz
+    perf 'with rpz' rpz 'NOERROR:2900 NXDOMAIN:100 '
     RPZ=`trim rpz`
-    echo "I:$RPZ qps with RPZ versus $NORPZ qps without"
 
-    # fail if RPZ costs more than 100%
-    NORPZ2=`expr "$NORPZ" / 2`
-    if test "$RPZ" -le "$NORPZ2"; then
-	echo "I:rpz $RPZ qps too far below non-RPZ $NORPZ qps"
-	status=`expr $status + 1`
+    # turn off rpz and measure qps again
+    echo "# rpz off" >ns5/rpz-switch
+    RNDCCMD_OUT=`$RNDCCMD $ns5 reload`
+    perf 'without rpz' norpz 'NOERROR:3000 '
+    NORPZ=`trim norpz`
+
+    PERCENT=`expr \( "$RPZ" \* 100 + \( $NORPZ / 2 \) \) / $NORPZ`
+    echo "I:$RPZ qps with rpz is $PERCENT% of $NORPZ qps without rpz"
+
+    MIN_PERCENT=30
+    if test "$PERCENT" -lt $MIN_PERCENT; then
+	setret "I:$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps"
     fi
+
+    if test "$PERCENT" -ge 100; then
+	setret "I:$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high"
+    fi
+
+    ckstats $ns5 ns5 203
+
 else
     echo "I:performance not checked; queryperf not available"
 fi
 
 
+ckstats $ns3 ns3 55
+
 # restart the main test RPZ server to see if that creates a core file
 if test -z "$HAVE_CORE"; then
     $PERL $SYSTEMTESTTOP/stop.pl . ns3
@@ -441,6 +474,12 @@ if test -z "$HAVE_CORE"; then
     test -z "$HAVE_CORE" || setret "I:found $HAVE_CORE; memory leak?"
 fi
 
+# look for complaints from lib/dns/rpz.c and bin/name/query.c
+EMSGS=`egrep -l 'invalid rpz|rpz.*failed' ns*/named.run`
+if test -n "$EMSGS"; then
+    setret "I:error messages in $EMSGS starting with:"
+    egrep 'invalid rpz|rpz.*failed' ns*/named.run | sed -e '10,$d' -e 's/^/I:  /'
+fi
 
 echo "I:exit status: $status"
 exit $status

bin/tests/system/tkey/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -17,7 +17,6 @@
 
 # $Id$
 
-rm -f dig.out.* random.data ns1/named.conf
+rm -f dig.out.* rndc.out.* random.data ns1/named.conf
 rm -f K* ns1/K*
 rm -f */named.memstats
-rm -f rndc.out

bin/tests/system/tkey/ns1/example.db

@@ -0,0 +1,30 @@
+; Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 1D
+
+@			IN SOA	ns hostmaster (
+				1
+				3600
+				1800
+				1814400
+				3
+				)
+			NS	ns
+ns			A	10.53.0.1
+mx			MX	10 mail
+a			A	10.53.0.1
+			A	10.53.0.2
+txt			TXT	"this is text"
+

bin/tests/system/tkey/ns1/named.conf.in

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -47,3 +47,9 @@ key "tkeytest." {
 	algorithm hmac-md5;
 	secret "0123456789ab";
 };
+
+zone example {
+        type master;
+        file "example.db";
+        allow-query { key tkeytest.; none; };
+};

bin/tests/system/tkey/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -19,6 +19,8 @@
 
 RANDFILE=random.data
 
+sh clean.sh
+
 ../../../tools/genrandom 100 $RANDFILE
 
 cd ns1 && sh setup.sh

bin/tests/system/tkey/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -31,6 +31,7 @@ ret=0
 dhkeyname=`$KEYGEN -T KEY -a DH -b 768 -n host -r $RANDFILE client` || ret=1
 if [ $ret != 0 ]; then
 	echo "I:failed"
+	status=`expr $status + $ret`
 	echo "I:exit status: $status"
 	exit $status
 fi
@@ -43,6 +44,7 @@ do
 	keyname=`./keycreate $dhkeyname $owner` || ret=1
 	if [ $ret != 0 ]; then
 		echo "I:failed"
+		status=`expr $status + $ret`
 		echo "I:exit status: $status"
 		exit $status
 	fi
@@ -84,6 +86,7 @@ ret=0
 keyname=`./keycreate $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
         echo "I:failed"
+	status=`expr $status + $ret`
         echo "I:exit status: $status"
         exit $status
 fi
@@ -91,8 +94,17 @@ status=`expr $status + $ret`
 
 echo "I:checking the key with 'rndc tsig-list'"
 ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out
-grep "key \"bar.example.server" rndc.out > /dev/null || ret=1
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.1
+grep "key \"bar.example.server" rndc.out.1 > /dev/null || ret=1
+if [ $ret != 0 ]; then
+        echo "I:failed"
+fi
+status=`expr $status + $ret`
+
+echo "I:using key in a request"
+ret=0
+$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.3 || ret=1
+grep "status: NOERROR" dig.out.3 > /dev/null || ret=1
 if [ $ret != 0 ]; then
         echo "I:failed"
 fi
@@ -101,8 +113,39 @@ status=`expr $status + $ret`
 echo "I:deleting the key with 'rndc tsig-delete'"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-delete bar.example.server > /dev/null || ret=1
-$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out
-grep "key \"bar.example.server" rndc.out > /dev/null && ret=1
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.2
+grep "key \"bar.example.server" rndc.out.2 > /dev/null && ret=1
+$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.4 || ret=1
+grep "TSIG could not be validated" dig.out.4 > /dev/null || ret=1
+if [ $ret != 0 ]; then
+        echo "I:failed"
+fi
+status=`expr $status + $ret`
+
+echo "I:recreating the bar.example. key"
+ret=0
+keyname=`./keycreate $dhkeyname bar.example.` || ret=1
+if [ $ret != 0 ]; then
+        echo "I:failed"
+	status=`expr $status + $ret`
+        echo "I:exit status: $status"
+        exit $status
+fi
+status=`expr $status + $ret`
+
+echo "I:checking the new key with 'rndc tsig-list'"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.3
+grep "key \"bar.example.server" rndc.out.3 > /dev/null || ret=1
+if [ $ret != 0 ]; then
+        echo "I:failed"
+fi
+status=`expr $status + $ret`
+
+echo "I:using the new key in a request"
+ret=0
+$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.5 || ret=1
+grep "status: NOERROR" dig.out.5 > /dev/null || ret=1
 if [ $ret != 0 ]; then
         echo "I:failed"
 fi

bin/tests/system/wildcard/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -22,6 +22,7 @@ rm -f ns1/K*
 rm -f ns1/*.db
 rm -f ns1/*.signed
 rm -f ns1/dsset-*
+rm -f ns1/keyset-*
 rm -f ns1/trusted.conf
 rm -f ns1/private.nsec.conf
 rm -f ns1/private.nsec3.conf

bin/tests/system/wildcard/ns1/dlv.db.in

@@ -0,0 +1,19 @@
+; Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+$TTL 120
+@	SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@	NS  a.root-servers.nil.

bin/tests/system/wildcard/ns1/named.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -33,6 +33,8 @@ options {
 
 zone "." { type master; file "root.db.signed"; };
 
+zone "dlv" { type master; file "dlv.db.signed"; };
+
 zone "nsec" { type master; file "nsec.db.signed"; };
 zone "private.nsec" { type master; file "private.nsec.db.signed"; };
 

bin/tests/system/wildcard/ns1/root.db.in

@@ -18,5 +18,6 @@ $TTL 120
 @	SOA a.root-servers.nil hostmaster.root-servers.nil 1 1800 900 604800 86400
 @	NS  a.root-servers.nil
 a.root-servers.nil A 10.53.0.1
+dlv	NS  a.root-servers.nil
 nsec	NS  a.root-servers.nil
 nsec3	NS  a.root-servers.nil

bin/tests/system/wildcard/ns1/sign.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -22,6 +22,20 @@ SYSTEMTESTTOP=../..
 RANDFILE=../random.data
 dssets=
 
+zone=dlv.
+infile=dlv.db.in
+zonefile=dlv.db
+outfile=dlv.db.signed
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
 zone=nsec.
 infile=nsec.db.in
 zonefile=nsec.db

bin/tests/system/wildcard/ns5/hints

@@ -0,0 +1,18 @@
+; Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.1.2.1 2010/06/01 03:55:02 marka Exp $
+
+. 0 NS ns.root-servers.nil.
+ns.root-servers.nil. 0 A 10.53.0.1

bin/tests/system/wildcard/ns5/named.conf

@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.1.2.1 2010/06/01 03:55:02 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-lookaside . trust-anchor dlv;
+};
+
+include "../ns1/trusted.conf";
+
+zone "." { type hint; file "hints"; };

bin/tests/system/wildcard/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -53,6 +53,15 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
+echo "I: checking that NSEC wildcard non-existance proof is returned validating + CD ($n)"
+ret=0
+$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns5.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns5.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
 echo "I: checking that returned NSEC wildcard non-existance proof validates ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1
@@ -105,6 +114,15 @@ grep -i 'flags:.* ad[ ;]'  dig.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I: checking that NSEC3 wildcard non-existance proof is returned validating + CD ($n)"
+ret=0
+$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns5.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns5.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo "I: checking that returned NSEC3 wildcard non-existance proof validates ($n)"
 ret=0

bin/tests/system/xfer/clean.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -23,8 +23,9 @@
 
 rm -f dig.out.ns1 dig.out.ns2 dig.out.ns3 dig.out.ns4
 rm -f dig.out.ns5 dig.out.ns6 dig.out.ns7
+rm -f dig.out.soa.ns3
 rm -f axfr.out
-rm -f ns1/slave.db
+rm -f ns1/slave.db ns2/slave.db
 rm -f ns2/example.db ns2/tsigzone.db ns2/example.db.jnl
 rm -f ns3/example.bk ns3/tsigzone.bk ns3/example.bk.jnl
 rm -f ns3/master.bk ns3/master.bk.jnl

bin/tests/system/xfer/dig1.good

@@ -16,6 +16,8 @@ cname03.example.	3600	IN	CNAME	.
 dname01.example.	3600	IN	DNAME	dname-target.
 dname02.example.	3600	IN	DNAME	dname-target.example.
 dname03.example.	3600	IN	DNAME	.
+eui48.example.		3600	IN	EUI48	01-23-45-67-89-ab
+eui64.example.		3600	IN	EUI64	01-23-45-67-89-ab-cd-ef
 gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
 gpos02.example.		3600	IN	GPOS	"" "" ""
 hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"

bin/tests/system/xfer/dig2.good

@@ -16,6 +16,8 @@ cname03.example.	3600	IN	CNAME	.
 dname01.example.	3600	IN	DNAME	dname-target.
 dname02.example.	3600	IN	DNAME	dname-target.example.
 dname03.example.	3600	IN	DNAME	.
+eui48.example.		3600	IN	EUI48   01-23-45-67-89-ab
+eui64.example.		3600	IN	EUI64	01-23-45-67-89-ab-cd-ef
 gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
 gpos02.example.		3600	IN	GPOS	"" "" ""
 hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"

bin/tests/system/xfer/ns2/named.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -59,3 +59,10 @@ zone "tsigzone" {
 	file "tsigzone.db";
 	allow-transfer { tzkey; };
 };
+
+zone "slave" {
+	type slave;
+	file "slave.db";
+	masters { 10.53.0.1; };
+        masterfile-format text;
+};

bin/tests/system/xfer/ns2/slave.db.in

@@ -0,0 +1,22 @@
+; Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 5
+
+@			IN SOA	ns1 hostmaster 1 5 5 5 5
+@			NS	ns1
+ns1			A	10.53.0.1
+a01			A	1.1.1.1
+a02			A	255.255.255.255
+