From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001 From: Stephen Morris Date: Thu, 5 Mar 2020 18:46:46 +0000 Subject: [PATCH] Add test for reduction in number of fetches Add a system test that counts how many address fetches are made for different numbers of NS records and checks that the number are successfully limited. (cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2) --- bin/tests/system/resolver/clean.sh | 4 +- bin/tests/system/resolver/ns4/named.conf.in | 5 ++ bin/tests/system/resolver/ns4/root.db | 4 + bin/tests/system/resolver/ns4/sourcens.db | 89 +++++++++++++++++++++ bin/tests/system/resolver/ns5/named.conf.in | 9 ++- bin/tests/system/resolver/ns6/named.conf.in | 15 ++++ bin/tests/system/resolver/ns6/targetns.db | 23 ++++++ bin/tests/system/resolver/tests.sh | 34 ++++++++ 8 files changed, 180 insertions(+), 3 deletions(-) create mode 100644 bin/tests/system/resolver/ns4/sourcens.db create mode 100644 bin/tests/system/resolver/ns6/targetns.db diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh index 4dfde1f3e7..b3e4bc0b5d 100644 --- a/bin/tests/system/resolver/clean.sh +++ b/bin/tests/system/resolver/clean.sh @@ -17,8 +17,7 @@ rm -f */named.memstats rm -f */named.run rm -f */ans.run rm -f */*.jdb -rm -f dig.out dig.out.* -rm -f dig.*.out.* +rm -f dig.out dig.out.* dig.*.out.* rm -f dig.*.foo.* rm -f dig.*.bar.* rm -f dig.*.prime.* @@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db rm -f ns6/dsset-ds.example.net* rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl +rm -f ns6/named.stats* rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl rm -f ns7/server.db ns7/server.db.jnl rm -f resolve.out.*.test* diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in index c679dc3151..56fe5d0dd8 100644 --- a/bin/tests/system/resolver/ns4/named.conf.in +++ b/bin/tests/system/resolver/ns4/named.conf.in @@ -50,6 +50,11 @@ zone "broken" { file "broken.db"; }; +zone "sourcens" { + type master; + file "sourcens.db"; +}; + key rndc_key { secret "1234abcd8765"; algorithm hmac-sha256; diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db index 721765d1be..ae541340da 100644 --- a/bin/tests/system/resolver/ns4/root.db +++ b/bin/tests/system/resolver/ns4/root.db @@ -24,3 +24,7 @@ example.net. NS ns.example.net. ns.example.net. A 10.53.0.6 no-questions. NS ns.no-questions. ns.no-questions. A 10.53.0.8 +sourcens. NS ns.sourcens. +ns.sourcens. A 10.53.0.4 +targetns. NS ns.targetns. +ns.targetns. A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db new file mode 100644 index 0000000000..b02cc6e835 --- /dev/null +++ b/bin/tests/system/resolver/ns4/sourcens.db @@ -0,0 +1,89 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This zone contains a set of delegations with varying numbers of NS +; records. This is used to check that BIND is limiting the number of +; NS records it follows when resolving a delegation. It tests all +; numbers of NS records up to twice the number followed. + +$TTL 60 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns +ns A 10.53.0.4 + +target1 NS ns.fake11.targetns. + +target2 NS ns.fake21.targetns. + NS ns.fake22.targetns. + +target3 NS ns.fake31.targetns. + NS ns.fake32.targetns. + NS ns.fake33.targetns. + +target4 NS ns.fake41.targetns. + NS ns.fake42.targetns. + NS ns.fake43.targetns. + NS ns.fake44.targetns. + +target5 NS ns.fake51.targetns. + NS ns.fake52.targetns. + NS ns.fake53.targetns. + NS ns.fake54.targetns. + NS ns.fake55.targetns. + +target6 NS ns.fake61.targetns. + NS ns.fake62.targetns. + NS ns.fake63.targetns. + NS ns.fake64.targetns. + NS ns.fake65.targetns. + NS ns.fake66.targetns. + +target7 NS ns.fake71.targetns. + NS ns.fake72.targetns. + NS ns.fake73.targetns. + NS ns.fake74.targetns. + NS ns.fake75.targetns. + NS ns.fake76.targetns. + NS ns.fake77.targetns. + +target8 NS ns.fake81.targetns. + NS ns.fake82.targetns. + NS ns.fake83.targetns. + NS ns.fake84.targetns. + NS ns.fake85.targetns. + NS ns.fake86.targetns. + NS ns.fake87.targetns. + NS ns.fake88.targetns. + +target9 NS ns.fake91.targetns. + NS ns.fake92.targetns. + NS ns.fake93.targetns. + NS ns.fake94.targetns. + NS ns.fake95.targetns. + NS ns.fake96.targetns. + NS ns.fake97.targetns. + NS ns.fake98.targetns. + NS ns.fake99.targetns. + +target10 NS ns.fake101.targetns. + NS ns.fake102.targetns. + NS ns.fake103.targetns. + NS ns.fake104.targetns. + NS ns.fake105.targetns. + NS ns.fake106.targetns. + NS ns.fake107.targetns. + NS ns.fake108.targetns. + NS ns.fake109.targetns. + NS ns.fake1010.targetns. diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in index 07205c9938..90818e4556 100644 --- a/bin/tests/system/resolver/ns5/named.conf.in +++ b/bin/tests/system/resolver/ns5/named.conf.in @@ -46,4 +46,11 @@ zone "delegation-only" { type delegation-only; }; -include "trusted.conf"; +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in index 7df48558b8..4b01f9ba14 100644 --- a/bin/tests/system/resolver/ns6/named.conf.in +++ b/bin/tests/system/resolver/ns6/named.conf.in @@ -22,6 +22,7 @@ options { recursion no; // minimal-responses yes; querylog yes; + statistics-file "named.stats"; /* * test that named loads with root-delegation-only that * has a exclude list. @@ -67,3 +68,17 @@ zone "delegation-only" { type master; file "delegation-only.db"; }; + +zone "targetns" { + type master; + file "targetns.db"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db new file mode 100644 index 0000000000..036e64580b --- /dev/null +++ b/bin/tests/system/resolver/ns6/targetns.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; In the test for checking how many NS records BIND will follow, this +; zone marks the server as the one to which the NS lookups will be +; directed. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) + NS ns +ns A 10.53.0.6 diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index 12d2819e30..178ba4d79b 100755 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then status=`expr $status + $ret` fi +n=`expr $n + 1` +echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" +# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS +# records pointing to non-existent nameservers in the targetns zone on ns6. +ret=0 +$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test +for nscount in 1 2 3 4 5 6 7 8 9 10 +do + # Verify number of NS records at source server + $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} + sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l` + test $sourcerecs -eq $nscount || ret=1 + test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens" + # Expected queries = 2 * number of NS records, up to a maximum of 10. + expected=`expr 2 \* $nscount` + if [ $expected -gt 10 ]; then expected=10; fi + # Work out the queries made by checking statistics on the target before and after the test + $RNDCCMD 10.53.0.6 stats || ret=1 + initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats` + mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n} + $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 + $RNDCCMD 10.53.0.6 stats || ret=1 + final_count=`awk '/responses sent/ {print $1}' ns6/named.stats` + mv ns6/named.stats ns6/named.stats.final.${nscount}.${n} + # Check number of queries during the test is as expected + actual=`expr $final_count - $initial_count` + if [ $actual -ne $expected ]; then + echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" + ret=1 + fi +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo_i "RT21594 regression test check setup ($n)" ret=0 -- 2.21.1