|
 |
bcb1e2 |
From 54e281c11ee13eabc3c51d6391a58fc90836000c Mon Sep 17 00:00:00 2001
|
|
|
bcb1e2 |
From: Evan Hunt <each@isc.org>
|
|
|
bcb1e2 |
Date: Wed, 9 Nov 2022 21:56:16 -0800
|
|
|
bcb1e2 |
Subject: [PATCH] test failure conditions
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
verify that updates are refused when the client is disallowed by
|
|
|
bcb1e2 |
allow-query, and update forwarding is refused when the client is
|
|
|
bcb1e2 |
is disallowed by update-forwarding.
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
verify that "too many DNS UPDATEs" appears in the log file when too
|
|
|
bcb1e2 |
many simultaneous updates are processing.
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
|
|
|
bcb1e2 |
---
|
|
|
bcb1e2 |
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +
|
|
|
bcb1e2 |
bin/tests/system/nsupdate/tests.sh | 28 +++++++++++++
|
|
|
bcb1e2 |
bin/tests/system/upforwd/clean.sh | 2 +
|
|
|
bcb1e2 |
.../ns3/{named.conf.in => named1.conf.in} | 13 ++++--
|
|
|
bcb1e2 |
bin/tests/system/upforwd/ns3/named2.conf.in | 41 +++++++++++++++++++
|
|
|
bcb1e2 |
bin/tests/system/upforwd/setup.sh | 2 +-
|
|
|
bcb1e2 |
bin/tests/system/upforwd/tests.sh | 39 ++++++++++++++++++
|
|
|
bcb1e2 |
7 files changed, 123 insertions(+), 4 deletions(-)
|
|
|
bcb1e2 |
rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (78%)
|
|
|
bcb1e2 |
create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
|
bcb1e2 |
index 436c97d..83fe884 100644
|
|
|
bcb1e2 |
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
|
bcb1e2 |
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
|
bcb1e2 |
@@ -21,6 +21,7 @@ options {
|
|
|
bcb1e2 |
recursion no;
|
|
|
bcb1e2 |
notify yes;
|
|
|
bcb1e2 |
minimal-responses no;
|
|
|
bcb1e2 |
+ update-quota 1;
|
|
|
bcb1e2 |
};
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
acl named-acl {
|
|
|
bcb1e2 |
@@ -81,6 +82,7 @@ zone "other.nil" {
|
|
|
bcb1e2 |
check-integrity no;
|
|
|
bcb1e2 |
check-mx warn;
|
|
|
bcb1e2 |
update-policy local;
|
|
|
bcb1e2 |
+ allow-query { !10.53.0.2; any; };
|
|
|
bcb1e2 |
allow-query-on { 10.53.0.1; 127.0.0.1; };
|
|
|
bcb1e2 |
allow-transfer { any; };
|
|
|
bcb1e2 |
};
|
|
|
bcb1e2 |
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
|
|
bcb1e2 |
index b5f562f..13ba577 100755
|
|
|
bcb1e2 |
--- a/bin/tests/system/nsupdate/tests.sh
|
|
|
bcb1e2 |
+++ b/bin/tests/system/nsupdate/tests.sh
|
|
|
bcb1e2 |
@@ -1268,6 +1268,34 @@ END
|
|
|
bcb1e2 |
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
|
|
|
bcb1e2 |
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
+n=$((n + 1))
|
|
|
bcb1e2 |
+ret=0
|
|
|
bcb1e2 |
+echo_i "check that update is rejected if query is not allowed ($n)"
|
|
|
bcb1e2 |
+{
|
|
|
bcb1e2 |
+ $NSUPDATE -d <
|
|
|
bcb1e2 |
+ local 10.53.0.2
|
|
|
bcb1e2 |
+ server 10.53.0.1 ${PORT}
|
|
|
bcb1e2 |
+ update add reject.other.nil 3600 IN TXT Whatever
|
|
|
bcb1e2 |
+ send
|
|
|
bcb1e2 |
+END
|
|
|
bcb1e2 |
+} > nsupdate.out.test$n 2>&1
|
|
|
bcb1e2 |
+grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
|
|
|
bcb1e2 |
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
|
|
bcb1e2 |
+
|
|
|
bcb1e2 |
+n=$((n + 1))
|
|
|
bcb1e2 |
+ret=0
|
|
|
bcb1e2 |
+echo_i "check that update is rejected if quota is exceeded ($n)"
|
|
|
bcb1e2 |
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
|
|
bcb1e2 |
+{
|
|
|
bcb1e2 |
+ $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <
|
|
|
bcb1e2 |
+ update add txt-$loop.other.nil 3600 IN TXT Whatever
|
|
|
bcb1e2 |
+ send
|
|
|
bcb1e2 |
+END
|
|
|
bcb1e2 |
+} &
|
|
|
bcb1e2 |
+done
|
|
|
bcb1e2 |
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
|
|
|
bcb1e2 |
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
|
|
bcb1e2 |
+
|
|
|
bcb1e2 |
if ! $FEATURETEST --gssapi ; then
|
|
|
bcb1e2 |
echo_i "SKIPPED: GSSAPI tests"
|
|
|
bcb1e2 |
else
|
|
|
bcb1e2 |
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
|
|
|
bcb1e2 |
index 2025252..12311df 100644
|
|
|
bcb1e2 |
--- a/bin/tests/system/upforwd/clean.sh
|
|
|
bcb1e2 |
+++ b/bin/tests/system/upforwd/clean.sh
|
|
|
bcb1e2 |
@@ -29,3 +29,5 @@ rm -f keyname keyname.err
|
|
|
bcb1e2 |
rm -f ns*/named.lock
|
|
|
bcb1e2 |
rm -f ns1/example2.db
|
|
|
bcb1e2 |
rm -f ns*/managed-keys.bind*
|
|
|
bcb1e2 |
+rm -f nsupdate.out.*
|
|
|
bcb1e2 |
+rm -f ns*/named.run.prev
|
|
|
bcb1e2 |
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
|
|
|
bcb1e2 |
similarity index 78%
|
|
|
bcb1e2 |
rename from bin/tests/system/upforwd/ns3/named.conf.in
|
|
|
bcb1e2 |
rename to bin/tests/system/upforwd/ns3/named1.conf.in
|
|
|
bcb1e2 |
index 7bd13d3..2f690ff 100644
|
|
|
bcb1e2 |
--- a/bin/tests/system/upforwd/ns3/named.conf.in
|
|
|
bcb1e2 |
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
|
|
|
bcb1e2 |
@@ -28,20 +28,27 @@ key rndc_key {
|
|
|
bcb1e2 |
};
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
controls {
|
|
|
bcb1e2 |
- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
|
bcb1e2 |
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
|
bcb1e2 |
};
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
zone "example" {
|
|
|
bcb1e2 |
type secondary;
|
|
|
bcb1e2 |
file "example.bk";
|
|
|
bcb1e2 |
- allow-update-forwarding { any; };
|
|
|
bcb1e2 |
+ allow-update-forwarding { 10.53.0.1; };
|
|
|
bcb1e2 |
primaries { 10.53.0.1; };
|
|
|
bcb1e2 |
};
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
zone "example2" {
|
|
|
bcb1e2 |
type secondary;
|
|
|
bcb1e2 |
file "example2.bk";
|
|
|
bcb1e2 |
- allow-update-forwarding { any; };
|
|
|
bcb1e2 |
+ allow-update-forwarding { 10.53.0.1; };
|
|
|
bcb1e2 |
+ primaries { 10.53.0.1; };
|
|
|
bcb1e2 |
+};
|
|
|
bcb1e2 |
+
|
|
|
bcb1e2 |
+zone "example3" {
|
|
|
bcb1e2 |
+ type secondary;
|
|
|
bcb1e2 |
+ file "example3.bk";
|
|
|
bcb1e2 |
+ allow-update-forwarding { 10.53.0.1; };
|
|
|
bcb1e2 |
primaries { 10.53.0.1; };
|
|
|
bcb1e2 |
};
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
|
|
|
bcb1e2 |
new file mode 100644
|
|
|
bcb1e2 |
index 0000000..e15459a
|
|
|
bcb1e2 |
--- /dev/null
|
|
|
bcb1e2 |
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
|
|
|
bcb1e2 |
@@ -0,0 +1,41 @@
|
|
|
bcb1e2 |
+/*
|
|
|
bcb1e2 |
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
bcb1e2 |
+ *
|
|
|
bcb1e2 |
+ * SPDX-License-Identifier: MPL-2.0
|
|
|
bcb1e2 |
+ *
|
|
|
bcb1e2 |
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
bcb1e2 |
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
bcb1e2 |
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
bcb1e2 |
+ *
|
|
|
bcb1e2 |
+ * See the COPYRIGHT file distributed with this work for additional
|
|
|
bcb1e2 |
+ * information regarding copyright ownership.
|
|
|
bcb1e2 |
+ */
|
|
|
bcb1e2 |
+
|
|
|
bcb1e2 |
+options {
|
|
|
bcb1e2 |
+ query-source address 10.53.0.3;
|
|
|
bcb1e2 |
+ notify-source 10.53.0.3;
|
|
|
bcb1e2 |
+ transfer-source 10.53.0.3;
|
|
|
bcb1e2 |
+ port @PORT@;
|
|
|
bcb1e2 |
+ pid-file "named.pid";
|
|
|
bcb1e2 |
+ listen-on { 10.53.0.3; };
|
|
|
bcb1e2 |
+ listen-on-v6 { none; };
|
|
|
bcb1e2 |
+ recursion no;
|
|
|
bcb1e2 |
+ notify yes;
|
|
|
bcb1e2 |
+ update-quota 1;
|
|
|
bcb1e2 |
+};
|
|
|
bcb1e2 |
+
|
|
|
bcb1e2 |
+key rndc_key {
|
|
|
bcb1e2 |
+ secret "1234abcd8765";
|
|
|
bcb1e2 |
+ algorithm hmac-sha256;
|
|
|
bcb1e2 |
+};
|
|
|
bcb1e2 |
+
|
|
|
bcb1e2 |
+controls {
|
|
|
bcb1e2 |
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
|
bcb1e2 |
+};
|
|
|
bcb1e2 |
+
|
|
|
bcb1e2 |
+zone "example" {
|
|
|
bcb1e2 |
+ type secondary;
|
|
|
bcb1e2 |
+ file "example.bk";
|
|
|
bcb1e2 |
+ allow-update-forwarding { any; };
|
|
|
bcb1e2 |
+ primaries { 10.53.0.1; };
|
|
|
bcb1e2 |
+};
|
|
|
bcb1e2 |
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
|
|
|
bcb1e2 |
index e748078..88ab28d 100644
|
|
|
bcb1e2 |
--- a/bin/tests/system/upforwd/setup.sh
|
|
|
bcb1e2 |
+++ b/bin/tests/system/upforwd/setup.sh
|
|
|
bcb1e2 |
@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
copy_setports ns1/named.conf.in ns1/named.conf
|
|
|
bcb1e2 |
copy_setports ns2/named.conf.in ns2/named.conf
|
|
|
bcb1e2 |
-copy_setports ns3/named.conf.in ns3/named.conf
|
|
|
bcb1e2 |
+copy_setports ns3/named1.conf.in ns3/named.conf
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
if $FEATURETEST --enable-dnstap
|
|
|
bcb1e2 |
then
|
|
|
bcb1e2 |
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
|
|
bcb1e2 |
index 8062d68..20fc46f 100644
|
|
|
bcb1e2 |
--- a/bin/tests/system/upforwd/tests.sh
|
|
|
bcb1e2 |
+++ b/bin/tests/system/upforwd/tests.sh
|
|
|
bcb1e2 |
@@ -80,6 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
|
|
bcb1e2 |
echo_i "updating zone (signed) ($n)"
|
|
|
bcb1e2 |
ret=0
|
|
|
bcb1e2 |
$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <
|
|
|
bcb1e2 |
+local 10.53.0.1
|
|
|
bcb1e2 |
server 10.53.0.3 ${PORT}
|
|
|
bcb1e2 |
update add updated.example. 600 A 10.10.10.1
|
|
|
bcb1e2 |
update add updated.example. 600 TXT Foo
|
|
|
bcb1e2 |
@@ -138,6 +139,7 @@ fi
|
|
|
bcb1e2 |
echo_i "updating zone (unsigned) ($n)"
|
|
|
bcb1e2 |
ret=0
|
|
|
bcb1e2 |
$NSUPDATE -- - <
|
|
|
bcb1e2 |
+local 10.53.0.1
|
|
|
bcb1e2 |
server 10.53.0.3 ${PORT}
|
|
|
bcb1e2 |
update add unsigned.example. 600 A 10.10.10.1
|
|
|
bcb1e2 |
update add unsigned.example. 600 TXT Foo
|
|
|
bcb1e2 |
@@ -194,6 +196,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
|
|
|
bcb1e2 |
do
|
|
|
bcb1e2 |
(
|
|
|
bcb1e2 |
$NSUPDATE -- - <
|
|
|
bcb1e2 |
+local 10.53.0.1
|
|
|
bcb1e2 |
server 10.53.0.3 ${PORT}
|
|
|
bcb1e2 |
zone nomaster
|
|
|
bcb1e2 |
update add unsigned.nomaster. 600 A 10.10.10.1
|
|
|
bcb1e2 |
@@ -225,6 +228,7 @@ then
|
|
|
bcb1e2 |
ret=0
|
|
|
bcb1e2 |
keyname=`cat keyname`
|
|
|
bcb1e2 |
$NSUPDATE -k $keyname.private -- - <
|
|
|
bcb1e2 |
+ local 10.53.0.1
|
|
|
bcb1e2 |
server 10.53.0.3 ${PORT}
|
|
|
bcb1e2 |
zone example2
|
|
|
bcb1e2 |
update add unsigned.example2. 600 A 10.10.10.1
|
|
|
bcb1e2 |
@@ -249,5 +253,40 @@ EOF
|
|
|
bcb1e2 |
fi
|
|
|
bcb1e2 |
fi
|
|
|
bcb1e2 |
|
|
|
bcb1e2 |
+echo_i "attempting an update that should be rejected by ACL ($n)"
|
|
|
bcb1e2 |
+ret=0
|
|
|
bcb1e2 |
+{
|
|
|
bcb1e2 |
+ $NSUPDATE -- - << EOF
|
|
|
bcb1e2 |
+ local 10.53.0.2
|
|
|
bcb1e2 |
+ server 10.53.0.3 ${PORT}
|
|
|
bcb1e2 |
+ update add another.unsigned.example. 600 A 10.10.10.2
|
|
|
bcb1e2 |
+ update add another.unsigned.example. 600 TXT Bar
|
|
|
bcb1e2 |
+ send
|
|
|
bcb1e2 |
+EOF
|
|
|
bcb1e2 |
+} > nsupdate.out.$n 2>&1
|
|
|
bcb1e2 |
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
|
|
|
bcb1e2 |
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
|
|
bcb1e2 |
+n=`expr $n + 1`
|
|
|
bcb1e2 |
+
|
|
|
bcb1e2 |
+n=$((n + 1))
|
|
|
bcb1e2 |
+ret=0
|
|
|
bcb1e2 |
+echo_i "attempting updates that should exceed quota ($n)"
|
|
|
bcb1e2 |
+# lower the update quota to 1.
|
|
|
bcb1e2 |
+copy_setports ns3/named2.conf.in ns3/named.conf
|
|
|
bcb1e2 |
+rndc_reconfig ns3 10.53.0.3
|
|
|
bcb1e2 |
+nextpart ns3/named.run > /dev/null
|
|
|
bcb1e2 |
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
|
|
bcb1e2 |
+{
|
|
|
bcb1e2 |
+ $NSUPDATE -- - > /dev/null 2>&1 <
|
|
|
bcb1e2 |
+ local 10.53.0.1
|
|
|
bcb1e2 |
+ server 10.53.0.3 ${PORT}
|
|
|
bcb1e2 |
+ update add txt-$loop.unsigned.example 300 IN TXT Whatever
|
|
|
bcb1e2 |
+ send
|
|
|
bcb1e2 |
+END
|
|
|
bcb1e2 |
+} &
|
|
|
bcb1e2 |
+done
|
|
|
bcb1e2 |
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
|
|
|
bcb1e2 |
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
|
|
bcb1e2 |
+
|
|
|
bcb1e2 |
echo_i "exit status: $status"
|
|
|
bcb1e2 |
[ $status -eq 0 ] || exit 1
|
|
|
bcb1e2 |
--
|
|
|
bcb1e2 |
2.39.2
|
|
|
bcb1e2 |
|