1*00b67f09SDavid van Moolenbroek#!/bin/sh 2*00b67f09SDavid van Moolenbroek# 3*00b67f09SDavid van Moolenbroek# Copyright (C) 2010, 2012, 2013 Internet Systems Consortium, Inc. ("ISC") 4*00b67f09SDavid van Moolenbroek# 5*00b67f09SDavid van Moolenbroek# Permission to use, copy, modify, and/or distribute this software for any 6*00b67f09SDavid van Moolenbroek# purpose with or without fee is hereby granted, provided that the above 7*00b67f09SDavid van Moolenbroek# copyright notice and this permission notice appear in all copies. 8*00b67f09SDavid van Moolenbroek# 9*00b67f09SDavid van Moolenbroek# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10*00b67f09SDavid van Moolenbroek# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11*00b67f09SDavid van Moolenbroek# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12*00b67f09SDavid van Moolenbroek# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13*00b67f09SDavid van Moolenbroek# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14*00b67f09SDavid van Moolenbroek# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15*00b67f09SDavid van Moolenbroek# PERFORMANCE OF THIS SOFTWARE. 16*00b67f09SDavid van Moolenbroek 17*00b67f09SDavid van Moolenbroek# Id: tests.sh,v 1.3 2010/12/02 23:22:41 marka Exp 18*00b67f09SDavid van Moolenbroek 19*00b67f09SDavid van Moolenbroek# Test of allow-query statement. 20*00b67f09SDavid van Moolenbroek# allow-query takes an address match list and can be included in either the 21*00b67f09SDavid van Moolenbroek# options statement or in the zone statement. This test assumes that the 22*00b67f09SDavid van Moolenbroek# acl tests cover the details of the address match list and uses a limited 23*00b67f09SDavid van Moolenbroek# number of address match test cases to ensure that allow-query finds the 24*00b67f09SDavid van Moolenbroek# expected match. 25*00b67f09SDavid van Moolenbroek# Test list: 26*00b67f09SDavid van Moolenbroek# In options: 27*00b67f09SDavid van Moolenbroek# default (any), any, none, [localhost, localnets], 28*00b67f09SDavid van Moolenbroek# allowed address, not allowed address, denied address, 29*00b67f09SDavid van Moolenbroek# allowed key, not allowed key, denied key 30*00b67f09SDavid van Moolenbroek# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 31*00b67f09SDavid van Moolenbroek# 32*00b67f09SDavid van Moolenbroek# Each of these tests requires changing to a new configuration 33*00b67f09SDavid van Moolenbroek# file and using rndc to update the server 34*00b67f09SDavid van Moolenbroek# 35*00b67f09SDavid van Moolenbroek# In view, with nothing in options (default to any) 36*00b67f09SDavid van Moolenbroek# default (any), any, none, [localhost, localnets], 37*00b67f09SDavid van Moolenbroek# allowed address, not allowed address, denied address, 38*00b67f09SDavid van Moolenbroek# allowed key, not allowed key, denied key 39*00b67f09SDavid van Moolenbroek# allowed acl, not allowed acl, denied acl (acls pointing to addresses) 40*00b67f09SDavid van Moolenbroek# 41*00b67f09SDavid van Moolenbroek# In view, with options set to none, view set to any 42*00b67f09SDavid van Moolenbroek# In view, with options set to any, view set to none 43*00b67f09SDavid van Moolenbroek# 44*00b67f09SDavid van Moolenbroek# In zone, with nothing in options (default to any) 45*00b67f09SDavid van Moolenbroek# any, none, [localhost, localnets], 46*00b67f09SDavid van Moolenbroek# allowed address, denied address, 47*00b67f09SDavid van Moolenbroek# allowed key, not allowed key, denied key 48*00b67f09SDavid van Moolenbroek# allowed acl, not allowed acl, denied acl (acls pointing to addresses), 49*00b67f09SDavid van Moolenbroek# 50*00b67f09SDavid van Moolenbroek# In zone, with options set to none, zone set to any 51*00b67f09SDavid van Moolenbroek# In zone, with options set to any, zone set to none 52*00b67f09SDavid van Moolenbroek# In zone, with view set to none, zone set to any 53*00b67f09SDavid van Moolenbroek# In zone, with view set to any, zone set to none 54*00b67f09SDavid van Moolenbroek# 55*00b67f09SDavid van Moolenbroek# zone types of master, slave and stub can be tested in parallel by using 56*00b67f09SDavid van Moolenbroek# multiple instances (ns2 as master, ns3 as slave, ns4 as stub) and querying 57*00b67f09SDavid van Moolenbroek# as necessary. 58*00b67f09SDavid van Moolenbroek# 59*00b67f09SDavid van Moolenbroek 60*00b67f09SDavid van MoolenbroekSYSTEMTESTTOP=.. 61*00b67f09SDavid van Moolenbroek. $SYSTEMTESTTOP/conf.sh 62*00b67f09SDavid van Moolenbroek 63*00b67f09SDavid van MoolenbroekDIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p 5300" 64*00b67f09SDavid van Moolenbroekstatus=0 65*00b67f09SDavid van Moolenbroekn=0 66*00b67f09SDavid van Moolenbroek 67*00b67f09SDavid van Moolenbroek# Test 1 - default, query allowed 68*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 69*00b67f09SDavid van Moolenbroekecho "I:test $n: default - query allowed" 70*00b67f09SDavid van Moolenbroekret=0 71*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 72*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 73*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 74*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 75*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 76*00b67f09SDavid van Moolenbroek 77*00b67f09SDavid van Moolenbroek# Test 2 - explicit any, query allowed 78*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 79*00b67f09SDavid van Moolenbroekcp -f ns2/named02.conf ns2/named.conf 80*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 81*00b67f09SDavid van Moolenbroeksleep 5 82*00b67f09SDavid van Moolenbroek 83*00b67f09SDavid van Moolenbroekecho "I:test $n: explicit any - query allowed" 84*00b67f09SDavid van Moolenbroekret=0 85*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 86*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 87*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 88*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 89*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 90*00b67f09SDavid van Moolenbroek 91*00b67f09SDavid van Moolenbroek# Test 3 - none, query refused 92*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 93*00b67f09SDavid van Moolenbroekcp -f ns2/named03.conf ns2/named.conf 94*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 95*00b67f09SDavid van Moolenbroeksleep 5 96*00b67f09SDavid van Moolenbroek 97*00b67f09SDavid van Moolenbroekecho "I:test $n: none - query refused" 98*00b67f09SDavid van Moolenbroekret=0 99*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 100*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 101*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 102*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 103*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 104*00b67f09SDavid van Moolenbroek 105*00b67f09SDavid van Moolenbroek# Test 4 - address allowed, query allowed 106*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 107*00b67f09SDavid van Moolenbroekcp -f ns2/named04.conf ns2/named.conf 108*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 109*00b67f09SDavid van Moolenbroeksleep 5 110*00b67f09SDavid van Moolenbroek 111*00b67f09SDavid van Moolenbroekecho "I:test $n: address allowed - query allowed" 112*00b67f09SDavid van Moolenbroekret=0 113*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 114*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 115*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 116*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 117*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 118*00b67f09SDavid van Moolenbroek 119*00b67f09SDavid van Moolenbroek# Test 5 - address not allowed, query refused 120*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 121*00b67f09SDavid van Moolenbroekcp -f ns2/named05.conf ns2/named.conf 122*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 123*00b67f09SDavid van Moolenbroeksleep 5 124*00b67f09SDavid van Moolenbroek 125*00b67f09SDavid van Moolenbroekecho "I:test $n: address not allowed - query refused" 126*00b67f09SDavid van Moolenbroekret=0 127*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 128*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 129*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 130*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 131*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 132*00b67f09SDavid van Moolenbroek 133*00b67f09SDavid van Moolenbroek# Test 6 - address disallowed, query refused 134*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 135*00b67f09SDavid van Moolenbroekcp -f ns2/named06.conf ns2/named.conf 136*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 137*00b67f09SDavid van Moolenbroeksleep 5 138*00b67f09SDavid van Moolenbroek 139*00b67f09SDavid van Moolenbroekecho "I:test $n: address disallowed - query refused" 140*00b67f09SDavid van Moolenbroekret=0 141*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 142*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 143*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 144*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 145*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 146*00b67f09SDavid van Moolenbroek 147*00b67f09SDavid van Moolenbroek# Test 7 - acl allowed, query allowed 148*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 149*00b67f09SDavid van Moolenbroekcp -f ns2/named07.conf ns2/named.conf 150*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 151*00b67f09SDavid van Moolenbroeksleep 5 152*00b67f09SDavid van Moolenbroek 153*00b67f09SDavid van Moolenbroekecho "I:test $n: acl allowed - query allowed" 154*00b67f09SDavid van Moolenbroekret=0 155*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 156*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 157*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 158*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 159*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 160*00b67f09SDavid van Moolenbroek 161*00b67f09SDavid van Moolenbroek# Test 8 - acl not allowed, query refused 162*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 163*00b67f09SDavid van Moolenbroekcp -f ns2/named08.conf ns2/named.conf 164*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 165*00b67f09SDavid van Moolenbroeksleep 5 166*00b67f09SDavid van Moolenbroek 167*00b67f09SDavid van Moolenbroekecho "I:test $n: acl not allowed - query refused" 168*00b67f09SDavid van Moolenbroekret=0 169*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 170*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 171*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 172*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 173*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 174*00b67f09SDavid van Moolenbroek 175*00b67f09SDavid van Moolenbroek 176*00b67f09SDavid van Moolenbroek# Test 9 - acl disallowed, query refused 177*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 178*00b67f09SDavid van Moolenbroekcp -f ns2/named09.conf ns2/named.conf 179*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 180*00b67f09SDavid van Moolenbroeksleep 5 181*00b67f09SDavid van Moolenbroek 182*00b67f09SDavid van Moolenbroekecho "I:test $n: acl disallowed - query refused" 183*00b67f09SDavid van Moolenbroekret=0 184*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 185*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 186*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 187*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 188*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 189*00b67f09SDavid van Moolenbroek 190*00b67f09SDavid van Moolenbroek# Test 10 - key allowed, query allowed 191*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 192*00b67f09SDavid van Moolenbroekcp -f ns2/named10.conf ns2/named.conf 193*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 194*00b67f09SDavid van Moolenbroeksleep 5 195*00b67f09SDavid van Moolenbroek 196*00b67f09SDavid van Moolenbroekecho "I:test $n: key allowed - query allowed" 197*00b67f09SDavid van Moolenbroekret=0 198*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 199*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 200*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 201*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 202*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 203*00b67f09SDavid van Moolenbroek 204*00b67f09SDavid van Moolenbroek# Test 11 - key not allowed, query refused 205*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 206*00b67f09SDavid van Moolenbroekcp -f ns2/named11.conf ns2/named.conf 207*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 208*00b67f09SDavid van Moolenbroeksleep 5 209*00b67f09SDavid van Moolenbroek 210*00b67f09SDavid van Moolenbroekecho "I:test $n: key not allowed - query refused" 211*00b67f09SDavid van Moolenbroekret=0 212*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 213*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 214*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 215*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 216*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 217*00b67f09SDavid van Moolenbroek 218*00b67f09SDavid van Moolenbroek# Test 12 - key disallowed, query refused 219*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 220*00b67f09SDavid van Moolenbroekcp -f ns2/named12.conf ns2/named.conf 221*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 222*00b67f09SDavid van Moolenbroeksleep 5 223*00b67f09SDavid van Moolenbroek 224*00b67f09SDavid van Moolenbroekecho "I:test $n: key disallowed - query refused" 225*00b67f09SDavid van Moolenbroekret=0 226*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 227*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 228*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 229*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 230*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 231*00b67f09SDavid van Moolenbroek 232*00b67f09SDavid van Moolenbroek# The next set of tests check if allow-query works in a view 233*00b67f09SDavid van Moolenbroek 234*00b67f09SDavid van Moolenbroekn=20 235*00b67f09SDavid van Moolenbroek# Test 21 - views default, query allowed 236*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 237*00b67f09SDavid van Moolenbroekcp -f ns2/named21.conf ns2/named.conf 238*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 239*00b67f09SDavid van Moolenbroeksleep 5 240*00b67f09SDavid van Moolenbroek 241*00b67f09SDavid van Moolenbroekecho "I:test $n: views default - query allowed" 242*00b67f09SDavid van Moolenbroekret=0 243*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 244*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 245*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 246*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 247*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 248*00b67f09SDavid van Moolenbroek 249*00b67f09SDavid van Moolenbroek# Test 22 - views explicit any, query allowed 250*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 251*00b67f09SDavid van Moolenbroekcp -f ns2/named22.conf ns2/named.conf 252*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 253*00b67f09SDavid van Moolenbroeksleep 5 254*00b67f09SDavid van Moolenbroek 255*00b67f09SDavid van Moolenbroekecho "I:test $n: views explicit any - query allowed" 256*00b67f09SDavid van Moolenbroekret=0 257*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 258*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 259*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 260*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 261*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 262*00b67f09SDavid van Moolenbroek 263*00b67f09SDavid van Moolenbroek# Test 23 - views none, query refused 264*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 265*00b67f09SDavid van Moolenbroekcp -f ns2/named23.conf ns2/named.conf 266*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 267*00b67f09SDavid van Moolenbroeksleep 5 268*00b67f09SDavid van Moolenbroek 269*00b67f09SDavid van Moolenbroekecho "I:test $n: views none - query refused" 270*00b67f09SDavid van Moolenbroekret=0 271*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 272*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 273*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 274*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 275*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 276*00b67f09SDavid van Moolenbroek 277*00b67f09SDavid van Moolenbroek# Test 24 - views address allowed, query allowed 278*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 279*00b67f09SDavid van Moolenbroekcp -f ns2/named24.conf ns2/named.conf 280*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 281*00b67f09SDavid van Moolenbroeksleep 5 282*00b67f09SDavid van Moolenbroek 283*00b67f09SDavid van Moolenbroekecho "I:test $n: views address allowed - query allowed" 284*00b67f09SDavid van Moolenbroekret=0 285*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 286*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 287*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 288*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 289*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 290*00b67f09SDavid van Moolenbroek 291*00b67f09SDavid van Moolenbroek# Test 25 - views address not allowed, query refused 292*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 293*00b67f09SDavid van Moolenbroekcp -f ns2/named25.conf ns2/named.conf 294*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 295*00b67f09SDavid van Moolenbroeksleep 5 296*00b67f09SDavid van Moolenbroek 297*00b67f09SDavid van Moolenbroekecho "I:test $n: views address not allowed - query refused" 298*00b67f09SDavid van Moolenbroekret=0 299*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 300*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 301*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 302*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 303*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 304*00b67f09SDavid van Moolenbroek 305*00b67f09SDavid van Moolenbroek# Test 26 - views address disallowed, query refused 306*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 307*00b67f09SDavid van Moolenbroekcp -f ns2/named26.conf ns2/named.conf 308*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 309*00b67f09SDavid van Moolenbroeksleep 5 310*00b67f09SDavid van Moolenbroek 311*00b67f09SDavid van Moolenbroekecho "I:test $n: views address disallowed - query refused" 312*00b67f09SDavid van Moolenbroekret=0 313*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 314*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 315*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 316*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 317*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 318*00b67f09SDavid van Moolenbroek 319*00b67f09SDavid van Moolenbroek# Test 27 - views acl allowed, query allowed 320*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 321*00b67f09SDavid van Moolenbroekcp -f ns2/named27.conf ns2/named.conf 322*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 323*00b67f09SDavid van Moolenbroeksleep 5 324*00b67f09SDavid van Moolenbroek 325*00b67f09SDavid van Moolenbroekecho "I:test $n: views acl allowed - query allowed" 326*00b67f09SDavid van Moolenbroekret=0 327*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 328*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 329*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 330*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 331*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 332*00b67f09SDavid van Moolenbroek 333*00b67f09SDavid van Moolenbroek# Test 28 - views acl not allowed, query refused 334*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 335*00b67f09SDavid van Moolenbroekcp -f ns2/named28.conf ns2/named.conf 336*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 337*00b67f09SDavid van Moolenbroeksleep 5 338*00b67f09SDavid van Moolenbroek 339*00b67f09SDavid van Moolenbroekecho "I:test $n: views acl not allowed - query refused" 340*00b67f09SDavid van Moolenbroekret=0 341*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 342*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 343*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 344*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 345*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 346*00b67f09SDavid van Moolenbroek 347*00b67f09SDavid van Moolenbroek# Test 29 - views acl disallowed, query refused 348*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 349*00b67f09SDavid van Moolenbroekcp -f ns2/named29.conf ns2/named.conf 350*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 351*00b67f09SDavid van Moolenbroeksleep 5 352*00b67f09SDavid van Moolenbroek 353*00b67f09SDavid van Moolenbroekecho "I:test $n: views acl disallowed - query refused" 354*00b67f09SDavid van Moolenbroekret=0 355*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 356*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 357*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 358*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 359*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 360*00b67f09SDavid van Moolenbroek 361*00b67f09SDavid van Moolenbroek# Test 30 - views key allowed, query allowed 362*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 363*00b67f09SDavid van Moolenbroekcp -f ns2/named30.conf ns2/named.conf 364*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 365*00b67f09SDavid van Moolenbroeksleep 5 366*00b67f09SDavid van Moolenbroek 367*00b67f09SDavid van Moolenbroekecho "I:test $n: views key allowed - query allowed" 368*00b67f09SDavid van Moolenbroekret=0 369*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 370*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 371*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 372*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 373*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 374*00b67f09SDavid van Moolenbroek 375*00b67f09SDavid van Moolenbroek# Test 31 - views key not allowed, query refused 376*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 377*00b67f09SDavid van Moolenbroekcp -f ns2/named31.conf ns2/named.conf 378*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 379*00b67f09SDavid van Moolenbroeksleep 5 380*00b67f09SDavid van Moolenbroek 381*00b67f09SDavid van Moolenbroekecho "I:test $n: views key not allowed - query refused" 382*00b67f09SDavid van Moolenbroekret=0 383*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 384*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 385*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 386*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 387*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 388*00b67f09SDavid van Moolenbroek 389*00b67f09SDavid van Moolenbroek# Test 32 - views key disallowed, query refused 390*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 391*00b67f09SDavid van Moolenbroekcp -f ns2/named32.conf ns2/named.conf 392*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 393*00b67f09SDavid van Moolenbroeksleep 5 394*00b67f09SDavid van Moolenbroek 395*00b67f09SDavid van Moolenbroekecho "I:test $n: views key disallowed - query refused" 396*00b67f09SDavid van Moolenbroekret=0 397*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 398*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 399*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 400*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 401*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 402*00b67f09SDavid van Moolenbroek 403*00b67f09SDavid van Moolenbroek# Test 33 - views over options, views allow, query allowed 404*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 405*00b67f09SDavid van Moolenbroekcp -f ns2/named33.conf ns2/named.conf 406*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 407*00b67f09SDavid van Moolenbroeksleep 5 408*00b67f09SDavid van Moolenbroek 409*00b67f09SDavid van Moolenbroekecho "I:test $n: views over options, views allow - query allowed" 410*00b67f09SDavid van Moolenbroekret=0 411*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 412*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 413*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 414*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 415*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 416*00b67f09SDavid van Moolenbroek 417*00b67f09SDavid van Moolenbroek# Test 34 - views over options, views disallow, query refused 418*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 419*00b67f09SDavid van Moolenbroekcp -f ns2/named34.conf ns2/named.conf 420*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 421*00b67f09SDavid van Moolenbroeksleep 5 422*00b67f09SDavid van Moolenbroek 423*00b67f09SDavid van Moolenbroekecho "I:test $n: views over options, views disallow - query refused" 424*00b67f09SDavid van Moolenbroekret=0 425*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 426*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 427*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 428*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 429*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 430*00b67f09SDavid van Moolenbroek 431*00b67f09SDavid van Moolenbroek# Tests for allow-query in the zone statements 432*00b67f09SDavid van Moolenbroek 433*00b67f09SDavid van Moolenbroekn=40 434*00b67f09SDavid van Moolenbroek 435*00b67f09SDavid van Moolenbroek# Test 41 - zone default, query allowed 436*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 437*00b67f09SDavid van Moolenbroekcp -f ns2/named40.conf ns2/named.conf 438*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 439*00b67f09SDavid van Moolenbroeksleep 5 440*00b67f09SDavid van Moolenbroek 441*00b67f09SDavid van Moolenbroekecho "I:test $n: zone default - query allowed" 442*00b67f09SDavid van Moolenbroekret=0 443*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 444*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 445*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 446*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 447*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 448*00b67f09SDavid van Moolenbroek 449*00b67f09SDavid van Moolenbroek# Test 42 - zone explicit any, query allowed 450*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 451*00b67f09SDavid van Moolenbroekecho "I:test $n: zone explicit any - query allowed" 452*00b67f09SDavid van Moolenbroekret=0 453*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 454*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 455*00b67f09SDavid van Moolenbroekgrep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 456*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 457*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 458*00b67f09SDavid van Moolenbroek 459*00b67f09SDavid van Moolenbroek# Test 43 - zone none, query refused 460*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 461*00b67f09SDavid van Moolenbroekecho "I:test $n: zone none - query refused" 462*00b67f09SDavid van Moolenbroekret=0 463*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 464*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 465*00b67f09SDavid van Moolenbroekgrep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 466*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 467*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 468*00b67f09SDavid van Moolenbroek 469*00b67f09SDavid van Moolenbroek# Test 44 - zone address allowed, query allowed 470*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 471*00b67f09SDavid van Moolenbroekecho "I:test $n: zone address allowed - query allowed" 472*00b67f09SDavid van Moolenbroekret=0 473*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 474*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 475*00b67f09SDavid van Moolenbroekgrep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 476*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 477*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 478*00b67f09SDavid van Moolenbroek 479*00b67f09SDavid van Moolenbroek# Test 45 - zone address not allowed, query refused 480*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 481*00b67f09SDavid van Moolenbroekecho "I:test $n: zone address not allowed - query refused" 482*00b67f09SDavid van Moolenbroekret=0 483*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 484*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 485*00b67f09SDavid van Moolenbroekgrep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 486*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 487*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 488*00b67f09SDavid van Moolenbroek 489*00b67f09SDavid van Moolenbroek# Test 46 - zone address disallowed, query refused 490*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 491*00b67f09SDavid van Moolenbroekecho "I:test $n: zone address disallowed - query refused" 492*00b67f09SDavid van Moolenbroekret=0 493*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 494*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 495*00b67f09SDavid van Moolenbroekgrep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 496*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 497*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 498*00b67f09SDavid van Moolenbroek 499*00b67f09SDavid van Moolenbroek# Test 47 - zone acl allowed, query allowed 500*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 501*00b67f09SDavid van Moolenbroekecho "I:test $n: zone acl allowed - query allowed" 502*00b67f09SDavid van Moolenbroekret=0 503*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 504*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 505*00b67f09SDavid van Moolenbroekgrep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 506*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 507*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 508*00b67f09SDavid van Moolenbroek 509*00b67f09SDavid van Moolenbroek# Test 48 - zone acl not allowed, query refused 510*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 511*00b67f09SDavid van Moolenbroekecho "I:test $n: zone acl not allowed - query refused" 512*00b67f09SDavid van Moolenbroekret=0 513*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 514*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 515*00b67f09SDavid van Moolenbroekgrep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 516*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 517*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 518*00b67f09SDavid van Moolenbroek 519*00b67f09SDavid van Moolenbroek# Test 49 - zone acl disallowed, query refused 520*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 521*00b67f09SDavid van Moolenbroekecho "I:test $n: zone acl disallowed - query refused" 522*00b67f09SDavid van Moolenbroekret=0 523*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 524*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 525*00b67f09SDavid van Moolenbroekgrep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 526*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 527*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 528*00b67f09SDavid van Moolenbroek 529*00b67f09SDavid van Moolenbroek# Test 50 - zone key allowed, query allowed 530*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 531*00b67f09SDavid van Moolenbroekecho "I:test $n: zone key allowed - query allowed" 532*00b67f09SDavid van Moolenbroekret=0 533*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 534*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 535*00b67f09SDavid van Moolenbroekgrep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 536*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 537*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 538*00b67f09SDavid van Moolenbroek 539*00b67f09SDavid van Moolenbroek# Test 51 - zone key not allowed, query refused 540*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 541*00b67f09SDavid van Moolenbroekecho "I:test $n: zone key not allowed - query refused" 542*00b67f09SDavid van Moolenbroekret=0 543*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 544*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 545*00b67f09SDavid van Moolenbroekgrep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 546*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 547*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 548*00b67f09SDavid van Moolenbroek 549*00b67f09SDavid van Moolenbroek# Test 52 - zone key disallowed, query refused 550*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 551*00b67f09SDavid van Moolenbroekecho "I:test $n: zone key disallowed - query refused" 552*00b67f09SDavid van Moolenbroekret=0 553*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 554*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 555*00b67f09SDavid van Moolenbroekgrep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 556*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 557*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 558*00b67f09SDavid van Moolenbroek 559*00b67f09SDavid van Moolenbroek# Test 53 - zones over options, zones allow, query allowed 560*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 561*00b67f09SDavid van Moolenbroekcp -f ns2/named53.conf ns2/named.conf 562*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 563*00b67f09SDavid van Moolenbroeksleep 5 564*00b67f09SDavid van Moolenbroek 565*00b67f09SDavid van Moolenbroekecho "I:test $n: views over options, views allow - query allowed" 566*00b67f09SDavid van Moolenbroekret=0 567*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 568*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 569*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 570*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 571*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 572*00b67f09SDavid van Moolenbroek 573*00b67f09SDavid van Moolenbroek# Test 54 - zones over options, zones disallow, query refused 574*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 575*00b67f09SDavid van Moolenbroekcp -f ns2/named54.conf ns2/named.conf 576*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 577*00b67f09SDavid van Moolenbroeksleep 5 578*00b67f09SDavid van Moolenbroek 579*00b67f09SDavid van Moolenbroekecho "I:test $n: views over options, views disallow - query refused" 580*00b67f09SDavid van Moolenbroekret=0 581*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 582*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 583*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 584*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 585*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 586*00b67f09SDavid van Moolenbroek 587*00b67f09SDavid van Moolenbroek# Test 55 - zones over views, zones allow, query allowed 588*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 589*00b67f09SDavid van Moolenbroekcp -f ns2/named55.conf ns2/named.conf 590*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 591*00b67f09SDavid van Moolenbroeksleep 5 592*00b67f09SDavid van Moolenbroek 593*00b67f09SDavid van Moolenbroekecho "I:test $n: zones over views, views allow - query allowed" 594*00b67f09SDavid van Moolenbroekret=0 595*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 596*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 597*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 598*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 599*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 600*00b67f09SDavid van Moolenbroek 601*00b67f09SDavid van Moolenbroek# Test 56 - zones over views, zones disallow, query refused 602*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 603*00b67f09SDavid van Moolenbroekcp -f ns2/named56.conf ns2/named.conf 604*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 605*00b67f09SDavid van Moolenbroeksleep 5 606*00b67f09SDavid van Moolenbroek 607*00b67f09SDavid van Moolenbroekecho "I:test $n: zones over views, views disallow - query refused" 608*00b67f09SDavid van Moolenbroekret=0 609*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 610*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 611*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 612*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 613*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 614*00b67f09SDavid van Moolenbroek 615*00b67f09SDavid van Moolenbroek# Test 57 - zones over views, zones disallow, query refused (allow-query-on) 616*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 617*00b67f09SDavid van Moolenbroekcp -f ns2/named57.conf ns2/named.conf 618*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 619*00b67f09SDavid van Moolenbroeksleep 5 620*00b67f09SDavid van Moolenbroek 621*00b67f09SDavid van Moolenbroekecho "I:test $n: zones over views, allow-query-on" 622*00b67f09SDavid van Moolenbroekret=0 623*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1 624*00b67f09SDavid van Moolenbroekgrep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 625*00b67f09SDavid van Moolenbroekgrep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1 626*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1 627*00b67f09SDavid van Moolenbroekgrep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1 628*00b67f09SDavid van Moolenbroekgrep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1 629*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 630*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 631*00b67f09SDavid van Moolenbroek 632*00b67f09SDavid van Moolenbroekecho "I:exit status: $status" 633*00b67f09SDavid van Moolenbroekexit $status 634*00b67f09SDavid van Moolenbroek 635