xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/rpzrecurse/README (revision 5f2f42719cd62ff11fd913b40b7ce19f07c4fd25) 
1Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2
3See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
4
5These tests check RPZ recursion behavior (including skipping
6recursion when appropriate).
7
8The general structure of the tests is:
9
10* The resolver (ns2) with an unqualified view containing the policy
11  zones, the response-policy statement, and a root hint zone
12
13* The auth server that contains two authoritative zones, l1.l0 and
14  l2.l1.l0, both delegated to itself. l2.l1.l0 specifies a non-existent
15  zone data file and so will generate SERVFAILs for any queries to it.
16
17The l2.l1.l0 zone was chosen to generate SERVFAIL responses because RPZ
18evaluation will use that error response whenever it encounters it during
19processing, thus making it a binary indicator for whether or not
20recursion was attempted.  This also allows us to not worry about having
21to craft 'ip', 'nsdname', and 'nsip' rules that matched the queries.
22
23Each test is intended to be fed a number of queries constructed as
24qXX.l2.l1.l0, where XX is the 1-based query sequence number (e.g. the
25first query of each test is q01.l2.l1.l0).
26
27For all the tests the triggers are constructed as follows:
28client-ip - match 127.0.0.1/32
29ip - match 255.255.255.255/32 (does not matter due to SERVFAIL)
30nsdname - match ns.example.org (also does not matter)
31nsip - match 255.255.255.255/32 (also does not matter)
32qname - match qXX.l2.l1.l0, where XX is the query sequence number that
33is intended to be matched by this qname rule.
34
35Here's the detail on the test cases:
36
37Group 1 - testing skipping recursion for a single policy zone with only
38records that allow recursion to be skipped
39
40Test 1a:
41    1 policy zone containing 1 'client-ip' trigger
42    1 query, expected to skip recursion
43
44Test 1b:
45    1 policy zone containing 1 'qname' trigger (q01)
46    2 queries, q01 is expected to skip recursion, q02 is expected to
47      recurse
48
49Test 1c:
50    1 policy zone containing both a 'client-ip' and 'qname' trigger (q02)
51    1 query, expected to skip recursion
52
53Group 2 - testing skipping recursion with multiple policy zones when all
54zones have only trigger types eligible to skip recursion with
55
56Test 2a:
57    32 policy zones, each containing 1 'qname' trigger (qNN, where NN is
58       the zone's sequence 1-based sequence number formatted to 2 digits,
59       so each of the first 32 queries should match a different zone)
60    33 queries, the first 32 of which are expected to skip recursion
61       while the 33rd is expected to recurse
62
63Group 3 - Testing interaction of triggers that require recursion when in
64a single zone, both alone and with triggers that allow recursion to be
65skipped
66
67Test 3a:
68    1 policy zone containing 1 'ip' trigger
69    1 query, expected to recurse
70
71Test 3b:
72    1 policy zone containing 1 'nsdname' trigger
73    1 query, expected to recurse
74
75Test 3c:
76    1 policy zone containing 1 'nsip' trigger
77    1 query, expected to recurse
78
79Test 3d:
80    1 policy zone containing 1 'ip' trigger and 1 'qname' trigger (q02)
81    2 queries, the first should not recurse and the second should recurse
82
83Test 3e:
84    1 policy zone containing 1 'nsdname' trigger and 1 'qname' trigger
85      (q02)
86    2 queries, the first should not recurse and the second should recurse
87
88Test 3f:
89    1 policy zone containing 1 'nsip' trigger and 1 'qname' trigger (q02)
90    2 queries, the first should not recurse and the second should recurse
91
92Group 4 - contains 32 subtests designed to verify that recursion is
93skippable for only the appropriate zones based on the order specified in
94the 'response-policy' statement
95
96Tests 4aa to 4bf:
97    32 policy zones per test, one of which is configured with 1 'ip'
98       trigger and one 'qname' trigger while the others are configured
99       only with 1 'qname' trigger.  The zone with both triggers starts
100       listed first and is moved backwards by one position with each
101       test.  The 'qname' triggers in the zones are structured so that
102       the zones are tested starting with the first zone and the 'ip'
103       trigger is tested before the 'qname' trigger for that zone.
104    33 queries per test, where the number expected to skip recursion
105       matches the test sequence number: e.g. 1 skip for 4aa, 26 skips
106       for 4az, and 32 skips for 4bf
107
108Group 5 - This test verifies that the "pivot" policy zone for whether or
109not recursion can be skipped is the first listed zone with applicable
110trigger types rather than a later listed zone.
111
112Test 5a:
113    5 policy zones, the 1st, 3rd, and 5th configured with 1 'qname'
114      trigger each (q01, q04, and q06, respectively), the 2nd and 4th
115      each configured with an 'ip' and 'qname' trigger (q02 and q05,
116      respectively for the 'qname' triggers
117    6 queries, of which only q01 and q02 are expected to skip recursion
118