ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
c929127b738a196a30f0d9177edf68d4e510fd49
bind9/bin/tests/system/rpz/setup.sh
Evan Hunt f43de96460 update the rpz tests to use the dummyrpz library 
when testing the DNSRPS API, instead of linking to an installed
librpz.so from fastrpz, we now link to the test library. code that
ran dnsrpzd and checked the fastrpz license is now unnecessary and
has been removed.

two dnsrps-specific test cases in rpz (qname_as_ns and ip_as_ns) have
been removed, because they were only supported by fastrpz and do not
work in the test library. in rpzrecurse, nsip-wait-recurse and
nsdname-wait-recurse are now only tested in native mode, due to those
tests being specific to the native implementation.
2023-03-28 18:41:17 -07:00

172 lines
5.0 KiB
Bash
Raw Blame History

#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# touch dnsrps-off to not test with DNSRPS
set -e
. ../conf.sh
QPERF=$($SHELL qperf.sh)
USAGE="$0: [-DNx]"
DEBUG=
while getopts "DNx" c; do
case $c in
x) set -x; DEBUG=-x ;;
D) TEST_DNSRPS="-D" ;;
N) PARTIAL=-P ;;
*) echo "$USAGE" 1>&2; exit 1 ;;
esac
done
shift $((OPTIND - 1))
if test "$#" -ne 0; then
echo "$USAGE" 1>&2
exit 1
fi
if [ ${NOCLEAN:-unset} = unset ]; then
$SHELL clean.sh $PARTIAL $DEBUG
fi
for dir in ns*; do
touch $dir/named.run
nextpart $dir/named.run > /dev/null
done
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
copy_setports ns10/named.conf.in ns10/named.conf
copy_setports dnsrps.zones.in dnsrps.zones
# decide whether to test DNSRPS
# Note that dnsrps.conf is included in named.conf
$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
test -z "$(grep 'testing with DNSRPS' dnsrps.conf)" && TEST_DNSRPS=
touch dnsrps.cache
# set up test policy zones.
# bl is the main test zone
# bl-2 is used to check competing zones.
# bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden,
# drop,tcp-only} are used to check policy overrides in named.conf.
# NO-OP is an obsolete synonym for PASSHTRU
for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do
sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db
done
# bl zones are dynamically updated. Add one zone that is updated manually.
cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db
cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
# a zone that expires quickly and then can't be refreshed
cp ns5/fast-expire.db.in ns5/fast-expire.db
cp ns5/expire.conf.in ns5/expire.conf
# $1=directory
# $2=domain name
# $3=input zone file
# $4=output file
signzone () {
KEYNAME=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -K $1 $2)
cat $1/$3 $1/$KEYNAME.key > $1/tmp
$SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
DSFILENAME=dsset-${2}.
rm $DSFILENAME $1/tmp
}
signzone ns2 tld2s base-tld2s.db tld2s.db
# Performance and a few other checks.
cat <<EOF >ns5/rpz-switch
response-policy {
zone "bl0"; zone "bl1"; zone "bl2"; zone "bl3"; zone "bl4";
zone "bl5"; zone "bl6"; zone "bl7"; zone "bl8"; zone "bl9";
zone "bl10"; zone "bl11"; zone "bl12"; zone "bl13"; zone "bl14";
zone "bl15"; zone "bl16"; zone "bl17"; zone "bl18"; zone "bl19";
} recursive-only no
qname-wait-recurse no
nsip-enable yes
nsdname-enable yes
max-policy-ttl 90
break-dnssec yes
;
EOF
cat <<EOF >ns5/example.db
\$TTL 300
@ SOA . hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
NS ns
NS ns1
ns A 10.53.0.5
ns1 A 10.53.0.5
EOF
cat <<EOF >ns5/bl.db
\$TTL 300
@ SOA . hostmaster.ns.blperf. ( 1 3600 1200 604800 60 )
NS ns.tld5.
; for "qname-wait-recurse no" in #35 test1
x.servfail A 35.35.35.35
; for "recursive-only no" in #8 test5
a3-5.tld2 CNAME .
; for "break-dnssec" in #9 & #10 test5
a3-5.tld2s CNAME .
; for "max-policy-ttl 90" in #17 test5
a3-17.tld2 500 A 17.17.17.17
; dummy NSDNAME policy to trigger lookups
ns1.x.rpz-nsdname CNAME .
EOF
if test -n "$QPERF"; then
# Do not build the full zones if we will not use them.
$PERL -e 'for ($val = 1; $val <= 65535; ++$val) {
printf("host-%05d\tA 192.168.%d.%d\n", $val, $val/256, $val%256);
}' >>ns5/example.db
echo >>ns5/bl.db
echo "; rewrite some names" >>ns5/bl.db
$PERL -e 'for ($val = 2; $val <= 65535; $val += 69) {
printf("host-%05d.example.tld5\tCNAME\t.\n", $val);
}' >>ns5/bl.db
echo >>ns5/bl.db
echo "; rewrite with some not entirely trivial patricia trees" >>ns5/bl.db
$PERL -e 'for ($val = 3; $val <= 65535; $val += 69) {
printf("32.%d.%d.168.192.rpz-ip \tCNAME\t.\n",
$val%256, $val/256);
}' >>ns5/bl.db
fi
# some psuedo-random queryperf requests
$PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {
printf("host-%05d.example.tld5 A\n", $val);
$val = ($val * 9 + 32771) % 65536;
}' >ns5/requests
cp ns2/bl.tld2.db.in ns2/bl.tld2.db
cp ns5/empty.db.in ns5/empty.db
cp ns5/empty.db.in ns5/policy2.db
cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db
View Git Blame Copy Permalink