153 lines
5.5 KiB
Diff
153 lines
5.5 KiB
Diff
From 221fb11e658e7dea1be6dbfd25e149f2d131e4fb Mon Sep 17 00:00:00 2001
|
|
From: Mark Andrews <marka@isc.org>
|
|
Date: Wed, 29 Jul 2020 23:36:03 +1000
|
|
Subject: [PATCH] Add a test for update-policy 'subdomain'
|
|
|
|
The new test checks that 'update-policy subdomain' is properly enforced.
|
|
|
|
(cherry picked from commit 393e8f643c02215fa4e6d4edf67be7d77085da0e)
|
|
|
|
Add a test for update-policy 'zonesub'
|
|
|
|
The new test checks that 'update-policy zonesub' is properly enforced.
|
|
|
|
(cherry picked from commit 58e560beb50873c699f3431cf57e215dc645d7aa)
|
|
---
|
|
bin/tests/system/nsupdate/ns1/named.conf.in | 12 +++++
|
|
bin/tests/system/nsupdate/tests.sh | 60 +++++++++++++++++++--
|
|
2 files changed, 68 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
index 26b6b7c9ab..540a984842 100644
|
|
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
@@ -36,6 +36,16 @@ key altkey {
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
+key restricted.example.nil {
|
|
+ algorithm hmac-md5;
|
|
+ secret "1234abcd8765";
|
|
+};
|
|
+
|
|
+key zonesub-key.example.nil {
|
|
+ algorithm hmac-md5;
|
|
+ secret "1234subk8765";
|
|
+};
|
|
+
|
|
include "ddns.key";
|
|
|
|
zone "example.nil" {
|
|
@@ -44,7 +54,9 @@ zone "example.nil" {
|
|
check-integrity no;
|
|
check-mx ignore;
|
|
update-policy {
|
|
+ grant zonesub-key.example.nil zonesub TXT;
|
|
grant ddns-key.example.nil subdomain example.nil ANY;
|
|
+ grant restricted.example.nil subdomain restricted.example.nil ANY;
|
|
};
|
|
allow-transfer { any; };
|
|
};
|
|
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
|
index b08c5220e7..5f09e8c5bf 100755
|
|
--- a/bin/tests/system/nsupdate/tests.sh
|
|
+++ b/bin/tests/system/nsupdate/tests.sh
|
|
@@ -428,7 +428,7 @@ EOF
|
|
# this also proves that the server is still running.
|
|
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
|
|
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
|
-grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
|
|
+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
|
|
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
|
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
|
|
|
@@ -443,7 +443,7 @@ EOF
|
|
|
|
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
|
|
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
|
-grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
|
|
+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
|
|
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
|
|
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
|
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
|
@@ -460,7 +460,7 @@ EOF
|
|
_ret=1
|
|
for i in 0 1 2 3 4 5 6 7 8 9; do
|
|
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
|
- if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
|
|
+ if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
|
|
_ret=0
|
|
break
|
|
fi
|
|
@@ -485,7 +485,7 @@ EOF
|
|
_ret=1
|
|
for i in 0 1 2 3 4 5 6 7 8 9; do
|
|
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
|
- if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
|
|
+ if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
|
|
_ret=0
|
|
break
|
|
fi
|
|
@@ -631,6 +631,58 @@ then
|
|
echo_i "failed"; status=1
|
|
fi
|
|
|
|
+n=`expr $n + 1`
|
|
+ret=0
|
|
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
|
|
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
|
|
+# and thus this UPDATE should succeed.
|
|
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
|
|
+server 10.53.0.1 ${PORT}
|
|
+key restricted.example.nil 1234abcd8765
|
|
+update add restricted.example.nil 0 IN TXT everywhere.
|
|
+send
|
|
+END
|
|
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
|
|
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
|
|
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
|
|
+# thus this UPDATE should fail.
|
|
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
|
|
+server 10.53.0.1 ${PORT}
|
|
+key restricted.example.nil 1234abcd8765
|
|
+update add example.nil 0 IN TXT everywhere.
|
|
+send
|
|
+END
|
|
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
|
|
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
|
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
|
+
|
|
+n=`expr $n + 1`
|
|
+ret=0
|
|
+echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
|
|
+# grant zonesub-key.example.nil zonesub TXT;
|
|
+# the A record update should be rejected as it is not in the type list
|
|
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
|
|
+server 10.53.0.1 ${PORT}
|
|
+key zonesub-key.example.nil 1234subk8765
|
|
+update add zonesub.example.nil 0 IN A 1.2.3.4
|
|
+send
|
|
+END
|
|
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
|
|
+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
|
|
+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
|
|
+# the TXT record update should be accepted as it is in the type list
|
|
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
|
|
+server 10.53.0.1 ${PORT}
|
|
+key zonesub-key.example.nil 1234subk8765
|
|
+update add zonesub.example.nil 0 IN TXT everywhere.
|
|
+send
|
|
+END
|
|
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
|
|
+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
|
|
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
|
|
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
|
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
|
+
|
|
n=`expr $n + 1`
|
|
ret=0
|
|
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
|
|
--
|
|
2.26.2
|
|
|