xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/rpzrecurse/README (revision 8feb0f0b7eaff0608f8350bbfa3098827b4bb91b) 
1Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2
3SPDX-License-Identifier: MPL-2.0
4
5This Source Code Form is subject to the terms of the Mozilla Public
6License, v. 2.0.  If a copy of the MPL was not distributed with this
7file, you can obtain one at https://mozilla.org/MPL/2.0/.
8
9See the COPYRIGHT file distributed with this work for additional
10information regarding copyright ownership.
11
12These tests check RPZ recursion behavior (including skipping
13recursion when appropriate).
14
15The general structure of the tests is:
16
17* The resolver (ns2) with an unqualified view containing the policy
18  zones, the response-policy statement, and a root hint zone
19
20* The auth server that contains two authoritative zones, l1.l0 and
21  l2.l1.l0, both delegated to itself. l2.l1.l0 specifies a non-existent
22  zone data file and so will generate SERVFAILs for any queries to it.
23
24The l2.l1.l0 zone was chosen to generate SERVFAIL responses because RPZ
25evaluation will use that error response whenever it encounters it during
26processing, thus making it a binary indicator for whether or not
27recursion was attempted.  This also allows us to not worry about having
28to craft 'ip', 'nsdname', and 'nsip' rules that matched the queries.
29
30Each test is intended to be fed a number of queries constructed as
31qXX.l2.l1.l0, where XX is the 1-based query sequence number (e.g. the
32first query of each test is q01.l2.l1.l0).
33
34For all the tests the triggers are constructed as follows:
35client-ip - match 127.0.0.1/32
36ip - match 255.255.255.255/32 (does not matter due to SERVFAIL)
37nsdname - match ns.example.org (also does not matter)
38nsip - match 255.255.255.255/32 (also does not matter)
39qname - match qXX.l2.l1.l0, where XX is the query sequence number that
40is intended to be matched by this qname rule.
41
42Here's the detail on the test cases:
43
44Group 1 - testing skipping recursion for a single policy zone with only
45records that allow recursion to be skipped
46
47Test 1a:
48    1 policy zone containing 1 'client-ip' trigger
49    1 query, expected to skip recursion
50
51Test 1b:
52    1 policy zone containing 1 'qname' trigger (q01)
53    2 queries, q01 is expected to skip recursion, q02 is expected to
54      recurse
55
56Test 1c:
57    1 policy zone containing both a 'client-ip' and 'qname' trigger (q02)
58    1 query, expected to skip recursion
59
60Group 2 - testing skipping recursion with multiple policy zones when all
61zones have only trigger types eligible to skip recursion with
62
63Test 2a:
64    32 policy zones, each containing 1 'qname' trigger (qNN, where NN is
65       the zone's sequence 1-based sequence number formatted to 2 digits,
66       so each of the first 32 queries should match a different zone)
67    33 queries, the first 32 of which are expected to skip recursion
68       while the 33rd is expected to recurse
69
70Group 3 - Testing interaction of triggers that require recursion when in
71a single zone, both alone and with triggers that allow recursion to be
72skipped
73
74Test 3a:
75    1 policy zone containing 1 'ip' trigger
76    1 query, expected to recurse
77
78Test 3b:
79    1 policy zone containing 1 'nsdname' trigger
80    1 query, expected to recurse
81
82Test 3c:
83    1 policy zone containing 1 'nsip' trigger
84    1 query, expected to recurse
85
86Test 3d:
87    1 policy zone containing 1 'ip' trigger and 1 'qname' trigger (q02)
88    2 queries, the first should not recurse and the second should recurse
89
90Test 3e:
91    1 policy zone containing 1 'nsdname' trigger and 1 'qname' trigger
92      (q02)
93    2 queries, the first should not recurse and the second should recurse
94
95Test 3f:
96    1 policy zone containing 1 'nsip' trigger and 1 'qname' trigger (q02)
97    2 queries, the first should not recurse and the second should recurse
98
99Group 4 - contains 32 subtests designed to verify that recursion is
100skippable for only the appropriate zones based on the order specified in
101the 'response-policy' statement
102
103Tests 4aa to 4bf:
104    32 policy zones per test, one of which is configured with 1 'ip'
105       trigger and one 'qname' trigger while the others are configured
106       only with 1 'qname' trigger.  The zone with both triggers starts
107       listed first and is moved backwards by one position with each
108       test.  The 'qname' triggers in the zones are structured so that
109       the zones are tested starting with the first zone and the 'ip'
110       trigger is tested before the 'qname' trigger for that zone.
111    33 queries per test, where the number expected to skip recursion
112       matches the test sequence number: e.g. 1 skip for 4aa, 26 skips
113       for 4az, and 32 skips for 4bf
114
115Group 5 - This test verifies that the "pivot" policy zone for whether or
116not recursion can be skipped is the first listed zone with applicable
117trigger types rather than a later listed zone.
118
119Test 5a:
120    5 policy zones, the 1st, 3rd, and 5th configured with 1 'qname'
121      trigger each (q01, q04, and q06, respectively), the 2nd and 4th
122      each configured with an 'ip' and 'qname' trigger (q02 and q05,
123      respectively for the 'qname' triggers
124    6 queries, of which only q01 and q02 are expected to skip recursion
125