diff options
Diffstat (limited to 'testdata')
26 files changed, 1061 insertions, 76 deletions
diff --git a/testdata/edns_attached_once_per_upstream.rpl b/testdata/edns_attached_once_per_upstream.rpl new file mode 100644 index 000000000000..19f1ba75df49 --- /dev/null +++ b/testdata/edns_attached_once_per_upstream.rpl @@ -0,0 +1,90 @@ +; config options +server: + edns-client-string: 10.0.0.0/24 "abc d" + outbound-msg-retry: 1 + +stub-zone: + name: "edns-string-abc." + stub-addr: 10.0.0.3 + stub-first: yes + +forward-zone: + name: "." + forward-addr: 10.0.0.1 + +CONFIG_END + +SCENARIO_BEGIN Test that upstream specific EDNS is attached once; uses string tag option + +RANGE_BEGIN 0 1000 + ADDRESS 10.0.0.3 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR SERVFAIL +SECTION QUESTION +edns-string-abc. IN A +ENTRY_END +RANGE_END + +RANGE_BEGIN 0 1000 + ADDRESS 10.0.0.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +edns-string-abc. IN A +SECTION ANSWER +edns-string-abc. IN A 10.20.30.40 +SECTION ADDITIONAL +ENTRY_END +RANGE_END + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +edns-string-abc. IN A +ENTRY_END + +; This will receive SERVFAIL and the next address will be queried +STEP 20 CHECK_OUT_QUERY ADDRESS 10.0.0.3 +ENTRY_BEGIN +MATCH qname qtype opcode ednsdata +SECTION QUESTION +edns-string-abc. IN A +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + fd e9 ; Opcode 65001 + 00 05 ; Length 5 + 61 62 63 20 64 ; "abc d" + HEX_EDNSDATA_END +ENTRY_END + +; This will receive the answer; makes sure that EDNS is attached once +STEP 22 CHECK_OUT_QUERY ADDRESS 10.0.0.1 +ENTRY_BEGIN +MATCH qname qtype opcode ednsdata +SECTION QUESTION +edns-string-abc. IN A +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + fd e9 ; Opcode 65001 + 00 05 ; Length 5 + 61 62 63 20 64 ; "abc d" + HEX_EDNSDATA_END +ENTRY_END + + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +edns-string-abc. IN A +SECTION ANSWER +edns-string-abc. IN A 10.20.30.40 +ENTRY_END + +SCENARIO_END diff --git a/testdata/localdata.rpl b/testdata/localdata.rpl index 047fbeebadd4..e54de2b61662 100644 --- a/testdata/localdata.rpl +++ b/testdata/localdata.rpl @@ -45,9 +45,32 @@ server: local-data: "b.c.implicit. A 20.30.45.50" local-data: "c.c.implicit. A 20.30.44.50" + ; create implicit data in the ANY domain + ; this should inherit the local_zone_type of the already configured + ; zone 'refuse.top.' and not be transparent + local-data: "refuse.top. ANY TXT implicit_non_transparent" + +stub-zone: + name: "refuse.top" + stub-addr: 1.2.3.4 + CONFIG_END SCENARIO_BEGIN Test local data queries +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +; This entry should never be queried +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.refuse.top. IN A +SECTION ANSWER +www.refuse.top. IN A 5.5.5.5 +ENTRY_END +RANGE_END + ; id.server. STEP 1 QUERY ENTRY_BEGIN @@ -390,4 +413,35 @@ SECTION ANSWER foo.null.top. IN AAAA ::0 ENTRY_END +; refuse zone for implicit local-data with CLASS != IN +STEP 64 QUERY +ENTRY_BEGIN +SECTION QUESTION +refuse.top. ANY TXT +ENTRY_END +STEP 65 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RA AA NOERROR +SECTION QUESTION +refuse.top. ANY TXT +SECTION ANSWER +refuse.top. ANY TXT implicit_non_transparent +ENTRY_END + +; refuse zone for implicit local-data with CLASS != IN +STEP 66 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.refuse.top. ANY A +ENTRY_END +STEP 67 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RA RD AA REFUSED +SECTION QUESTION +www.refuse.top. ANY A +ENTRY_END + SCENARIO_END diff --git a/testdata/nsid_bogus.rpl b/testdata/nsid_bogus.rpl new file mode 100644 index 000000000000..1414163f8a6a --- /dev/null +++ b/testdata/nsid_bogus.rpl @@ -0,0 +1,174 @@ +; config options +; The island of trust is at example.com +server: + trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" + val-override-date: "20070916134226" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no + nsid: "ascii_hopsa kidee" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test for NSID in SERVFAIL response due to DNSSEC bogus + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + +; response to DNSKEY priming query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} +example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + +; nodata for ns.example.com AAAA +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION ANSWER +SECTION ADDITIONAL +ENTRY_END + + +; response to query of interest +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +;good signature +;www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} +;missing +www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2855 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN A +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + 00 03 ; Opcode NSID (3) + 00 00 ; Length 0 + HEX_EDNSDATA_END +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA DO SERVFAIL +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + 00 03 ; Opcode NSID (3) + 00 0b ; Length 11 + 68 6F 70 73 61 20 ; "hopsa " + 6B 69 64 65 65 ; "kidee" + HEX_EDNSDATA_END +ENTRY_END + +SCENARIO_END diff --git a/testdata/pylib.tdir/pylib.lookup.conf b/testdata/pylib.tdir/pylib.lookup.conf index 3f4a8d26dfb1..f467d5bc6591 100644 --- a/testdata/pylib.tdir/pylib.lookup.conf +++ b/testdata/pylib.tdir/pylib.lookup.conf @@ -11,4 +11,4 @@ server: stub-zone: name: "example.com." stub-addr: "127.0.0.1@@TOPORT@" - + stub-no-cache: yes diff --git a/testdata/pylib.tdir/pylib.lookup.py b/testdata/pylib.tdir/pylib.lookup.py index 114bb49a0902..b9f6e8397164 100755 --- a/testdata/pylib.tdir/pylib.lookup.py +++ b/testdata/pylib.tdir/pylib.lookup.py @@ -9,9 +9,11 @@ import time import unbound qname = "www.example.com" +qname2 = "www2.example.com" qtype = unbound.RR_TYPE_A qclass = unbound.RR_CLASS_IN + def create_context(config_file="ub.lookup.conf", asyncflag=False): """ Create an unbound context to use for testing. @@ -69,32 +71,6 @@ def test_async_resolve(ctx): print("Failed async resolve with: {}".format(retval)) -def test_ratelimit_fg_on(ctx): - """ - Test resolving a ratelimited domain with a foreground worker. - - """ - ctx.set_option("ratelimit:", "1") - ctx.set_option("ratelimit-factor:", "0") - status, result = ctx.resolve(qname, qtype, qclass) - if status == 0 and result.was_ratelimited: - print("Ratelimit-fg-on: pass") - else: - print("Failed ratelimit-fg-on with: {}".format(status)) - - -def test_ratelimit_fg_off(ctx): - """ - Test resolving a non-ratelimited domain with a foreground worker. - - """ - status, result = ctx.resolve(qname, qtype, qclass) - if status == 0 and result.havedata: - print("Ratelimit-fg-off: {}".format(result.data.address_list)) - else: - print("Failed ratelimit-fg-off with: {}".format(status)) - - def test_ratelimit_bg_on(ctx): """ Test resolving a ratelimited domain with a background worker. @@ -102,40 +78,32 @@ def test_ratelimit_bg_on(ctx): """ ctx.set_option("ratelimit:", "1") ctx.set_option("ratelimit-factor:", "0") - cb_data = dict(done=False) - retval, async_id = ctx.resolve_async(qname, cb_data, callback, qtype, qclass) - while retval == 0 and not cb_data['done']: - time.sleep(0.1) - retval = ctx.process() - - if cb_data.get('was_ratelimited'): - print("Ratelimit-bg-on: pass") - else: - print("Failed ratelimit-bg-on with: {}".format(status)) - - -def test_ratelimit_bg_off(ctx): - """ - Test resolving a non-ratelimited domain with a background worker. + total_runs = 6 + success_threshold = 4 # 2/3*total_runs + successes = 0 + for i in range(total_runs): + cb_data = dict(done=False) + cb_data2 = dict(done=False) + retval, async_id = ctx.resolve_async(qname, cb_data, callback, qtype, qclass) + retval, async_id = ctx.resolve_async(qname2, cb_data2, callback, qtype, qclass) - """ - cb_data = dict(done=False) - retval, async_id = ctx.resolve_async(qname, cb_data, callback, qtype, qclass) - while retval == 0 and not cb_data['done']: - time.sleep(0.1) - retval = ctx.process() + while retval == 0 and not (cb_data['done'] and cb_data['done']): + time.sleep(0.1) + retval = ctx.process() - if cb_data.get('data'): - print("Ratelimit-bg-off: {}".format(cb_data['data'].address_list)) + if bool(cb_data.get('was_ratelimited')) ^ bool(cb_data2.get('was_ratelimited')): + successes += 1 + if successes >= success_threshold: + break + time.sleep(1) + if successes >= success_threshold: + print("Ratelimit-bg-on: pass") else: - print("Failed ratelimit-bg-off with: {}".format(status)) + print("Failed ratelimit-bg-on") test_resolve(create_context()) test_async_resolve(create_context(asyncflag=True)) -test_ratelimit_fg_on(create_context()) -test_ratelimit_fg_off(create_context()) test_ratelimit_bg_on(create_context(asyncflag=True)) -test_ratelimit_bg_off(create_context(asyncflag=True)) sys.exit(0) diff --git a/testdata/pylib.tdir/pylib.test b/testdata/pylib.tdir/pylib.test index 893aaf64f252..59f996459c17 100644 --- a/testdata/pylib.tdir/pylib.test +++ b/testdata/pylib.tdir/pylib.test @@ -42,30 +42,12 @@ else echo "Not OK (async resolve)" exit 1 fi -if grep "Ratelimit-fg-on: pass" outfile; then - : -else - echo "Not OK (ratelimit-fg-on)" - exit 1 -fi -if grep "Ratelimit-fg-off: \[.\?10.20.30.40.\?\]" outfile; then - : -else - echo "Not OK (ratelimit-fg-off)" - exit 1 -fi if grep "Ratelimit-bg-on: pass" outfile; then : else echo "Not OK (ratelimit-bg-on)" exit 1 fi -if grep "Ratelimit-bg-off: \[.\?10.20.30.40.\?\]" outfile; then - : -else - echo "Not OK (ratelimit-bg-off)" - exit 1 -fi echo "OK" diff --git a/testdata/pylib.tdir/pylib.testns b/testdata/pylib.tdir/pylib.testns index f2a700cc7daf..af54ed570603 100644 --- a/testdata/pylib.tdir/pylib.testns +++ b/testdata/pylib.tdir/pylib.testns @@ -12,3 +12,12 @@ SECTION ANSWER www IN A 10.20.30.40 ENTRY_END +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www2 IN A +SECTION ANSWER +www2 IN A 10.20.30.40 +ENTRY_END diff --git a/testdata/ratelimit.tdir/ratelimit.conf b/testdata/ratelimit.tdir/ratelimit.conf new file mode 100644 index 000000000000..5d2456c39311 --- /dev/null +++ b/testdata/ratelimit.tdir/ratelimit.conf @@ -0,0 +1,29 @@ +server: + verbosity: 5 + # num-threads: 1 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: . + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + + ratelimit: 1 + ratelimit-factor: 0 + +stub-zone: + name: "example.com." + stub-addr: "127.0.0.1@@TOPORT@" + stub-no-cache: yes + +remote-control: + control-enable: yes + control-interface: 127.0.0.1 + # control-interface: ::1 + control-port: @CONTROL_PORT@ + server-key-file: "unbound_server.key" + server-cert-file: "unbound_server.pem" + control-key-file: "unbound_control.key" + control-cert-file: "unbound_control.pem" diff --git a/testdata/ratelimit.tdir/ratelimit.dsc b/testdata/ratelimit.tdir/ratelimit.dsc new file mode 100644 index 000000000000..abd5307c79ef --- /dev/null +++ b/testdata/ratelimit.tdir/ratelimit.dsc @@ -0,0 +1,16 @@ +BaseName: ratelimit +Version: 1.0 +Description: Test ratelimit. +CreationDate: Sun Jan 30 00:40:00 CET 2022 +Maintainer: Yorgos Thessalonikefs +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: ratelimit.pre +Post: ratelimit.post +Test: ratelimit.test +AuxFiles: +Passed: +Failure: diff --git a/testdata/ratelimit.tdir/ratelimit.post b/testdata/ratelimit.tdir/ratelimit.post new file mode 100644 index 000000000000..6738ed55ad07 --- /dev/null +++ b/testdata/ratelimit.tdir/ratelimit.post @@ -0,0 +1,14 @@ +# #-- ratelimit.post --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# source the test var file when it's there +[ -f .tpkg.var.test ] && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $STUB_PID +kill_pid $UNBOUND_PID +if test -f unbound.log; then + echo ">>> unbound log" + cat unbound.log +fi diff --git a/testdata/ratelimit.tdir/ratelimit.pre b/testdata/ratelimit.tdir/ratelimit.pre new file mode 100644 index 000000000000..2404cfc00b93 --- /dev/null +++ b/testdata/ratelimit.tdir/ratelimit.pre @@ -0,0 +1,33 @@ +# #-- ratelimit.pre--# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +PRE="../.." +. ../common.sh +get_random_port 2 +UNBOUND_PORT=$RND_PORT +STUB_PORT=$(($RND_PORT + 1)) +CONTROL_PORT=$(($RND_PORT + 2)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "STUB_PORT=$STUB_PORT" >> .tpkg.var.test +echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test + +# start ldns-testns +get_ldns_testns +$LDNS_TESTNS -v -p $STUB_PORT ratelimit.testns >stub.log 2>&1 & +STUB_PID=$! +echo "STUB_PID=$STUB_PID" >> .tpkg.var.test + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$STUB_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ratelimit.conf > ub.conf +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +wait_ldns_testns_up stub.log +wait_unbound_up unbound.log + +cat .tpkg.var.test diff --git a/testdata/ratelimit.tdir/ratelimit.test b/testdata/ratelimit.tdir/ratelimit.test new file mode 100644 index 000000000000..cc14717405c6 --- /dev/null +++ b/testdata/ratelimit.tdir/ratelimit.test @@ -0,0 +1,183 @@ +# #-- ratelimit.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +PRE="../.." +. ../common.sh + +get_make +(cd $PRE; $MAKE streamtcp) + +# These tests rely on second time precision. To combat false negatives the +# tests run multiple times and we allow 1/3 of the runs to fail. +total_runs=6 +success_threshold=4 # 2/3*total_runs + +successes=0 +echo "> Three parallel queries" +# For this test we send three parallel queries and we expect only one of them +# to be allowed through each second. +for i in $(seq 1 $total_runs); do + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + cat outfile + if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 2; then + ((successes++)) + fi + # We don't have to wait for all the runs to complete if we know + # we passed the threshold. + if test $successes -ge $success_threshold; then + break + fi + sleep 1 +done +if test $successes -ge $success_threshold; then + echo "Number of ratelimited queries OK for three parallel queries" +else + echo "Number of ratelimited queries not OK for three parallel queries" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Number of ratelimited queries not OK for three parallel queries" + exit 1 +fi + +echo "> Activating ratelimit-factor" +echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3" +$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3 +if test $? -ne 0; then + echo "wrong exit value after success" + exit 1 +fi + +slipped_through=0 +echo "> Three parallel queries with ratelimit-factor" +# For this test we send three parallel queries and we expect at least two of +# them to be allowed through at a given second; one from the ratelimit itself +# and one from the ratelimit-factor. +for i in {1..10}; do + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + cat outfile + if test `grep "rcode: SERVFAIL" outfile | wc -l` -lt 2; then + slipped_through=1 + break + fi + sleep 2 +done +if test $slipped_through -eq 0; then + echo "ratelimit-factor did not work" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "ratelimit-factor did not work" + exit 1 +fi +echo "ratelimit-factor OK" + +echo "> Disabling ratelimit-factor" +echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0" +$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0 +if test $? -ne 0; then + echo "wrong exit value after success" + exit 1 +fi +echo "> Activating ratelimit-backoff" +echo "$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes" +$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes +if test $? -ne 0; then + echo "wrong exit value after success" + exit 1 +fi + +successes=0 +echo "> Three parallel queries with backoff" +# For this test we send three parallel queries. The ratelimit should be reached +# for that second. Then for the next second we again send three parallel +# queries and we expect none of them to be allowed through because of the +# backoff logic that keeps rolling the RATE_WINDOW based on demand. +for i in $(seq 1 $total_runs); do + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + sleep 1 # Limit is reached; it should also be active for the next second + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + cat outfile + if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 3; then + ((successes++)) + fi + # We don't have to wait for all the runs to complete if we know + # we passed the threshold. + if test $successes -ge $success_threshold; then + break + fi +done + +if test $successes -ge $success_threshold; then + echo "three parallel queries with backoff OK" +else + echo "Number of ratelimited queries not OK for three parallel queries with backoff" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Number of ratelimited queries not OK for three parallel queries with backoff" + exit 1 +fi + +echo "> Three parallel queries after backoff RATE_WINDOW" +sleep 3 # Make sure the RATE_WINDOW is renewed +# For this test we make three parallel queries after the RATE_WINDOW has passed +# without any new demand and we expect at least one query to pass through. This +# is to check that the backoff logic does not insist on past (outside of +# RATE_WINDOW) limits. +$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 +if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 +fi +cat outfile +if test `grep "rcode: NOERROR" outfile | wc -l` -gt 0; then + echo "Number of ratelimited queries OK for three parallel queries after backoff RATE_WINDOW" +else + echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW" + exit 1 +fi +exit 0 diff --git a/testdata/ratelimit.tdir/ratelimit.testns b/testdata/ratelimit.tdir/ratelimit.testns new file mode 100644 index 000000000000..673bd15a598b --- /dev/null +++ b/testdata/ratelimit.tdir/ratelimit.testns @@ -0,0 +1,13 @@ +; nameserver test file +$ORIGIN example.com. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype +REPLY QR AA NOERROR +ADJUST copy_id copy_query +SECTION QUESTION +wild IN A +SECTION ANSWER +wild IN A 10.20.30.40 +ENTRY_END diff --git a/testdata/ratelimit.tdir/unbound_control.key b/testdata/ratelimit.tdir/unbound_control.key new file mode 100644 index 000000000000..753a4ef6162e --- /dev/null +++ b/testdata/ratelimit.tdir/unbound_control.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA +1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ +F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR +ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm +vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb +IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL +cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr +lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov +15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf +LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+ +Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57 +YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9 +whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c +lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax +tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ +U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9 +Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc +Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3 +ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+ +1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN +b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz +ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C +TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF +tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y +aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0 +A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU +LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U +R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy +7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj +7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw +jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1 +BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar +kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR +qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3 +VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9 +MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa +C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g= +-----END RSA PRIVATE KEY----- diff --git a/testdata/ratelimit.tdir/unbound_control.pem b/testdata/ratelimit.tdir/unbound_control.pem new file mode 100644 index 000000000000..a1edf7017f1d --- /dev/null +++ b/testdata/ratelimit.tdir/unbound_control.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw +WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA +A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv +OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj +1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl +NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht +A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/ +Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB +TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/ +nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My ++i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj +4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83 +hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU +9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn +ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ +pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD +72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ +muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP +uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte +-----END CERTIFICATE----- diff --git a/testdata/ratelimit.tdir/unbound_server.key b/testdata/ratelimit.tdir/unbound_server.key new file mode 100644 index 000000000000..370a7bbb2f22 --- /dev/null +++ b/testdata/ratelimit.tdir/unbound_server.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI +0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq +GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z +uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K +WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5 +FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP +q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL +A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP +7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf +XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6 +iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7 +2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo +MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj +WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz +O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI +IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN +qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU +dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs +bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr +YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km +7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr +gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z +5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG +ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN +oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+ +s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW +zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx +ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1 +oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3 +BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS +mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8 +kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93 +7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8 +RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O +jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp +O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre +MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A== +-----END RSA PRIVATE KEY----- diff --git a/testdata/ratelimit.tdir/unbound_server.pem b/testdata/ratelimit.tdir/unbound_server.pem new file mode 100644 index 000000000000..986807310f2b --- /dev/null +++ b/testdata/ratelimit.tdir/unbound_server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5 +WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB +igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32 +a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2 +4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot +aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4 +TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ +uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4 ++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz +XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx +dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW +84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7 +JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca +fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg +XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF +qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25 +sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD +yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe +CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ== +-----END CERTIFICATE----- diff --git a/testdata/root_key_sentinel.rpl b/testdata/root_key_sentinel.rpl index 1b66c5aac77d..2310953adf0f 100644 --- a/testdata/root_key_sentinel.rpl +++ b/testdata/root_key_sentinel.rpl @@ -175,11 +175,11 @@ REPLY QR RD RA AD DO NXDOMAIN SECTION QUESTION root-key-sentinel-not-ta-20326. IN A SECTION AUTHORITY -. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2018042300 1800 900 604800 86400 -. 86400 IN RRSIG SOA 8 0 86400 20180506050000 20180423040000 39570 . LboVfcSRUSuBcZPpkkOO1N6KpGO6DBzOGL6UtSVUssycPzGIZctcIM0s Kb71iBf3rxFjNVlgCuNFb74WpCyRQ2coB2uUQXVA81A+P4Qb62/s3Nr2 pRGxayA1Y0Uq2M4CRkh3bjgn/cEcEFSWTl+xDVjZO8hX98JdQjYmrVui 4zEQhsMM03sqkmjkH88owibWK7HDl6O0n6Imer2hCsVTlFv7PSrBHlXP KntkIMDtbGHZW/BkKnA6P1jfAVfgXr70bRVaDRddLqJp3EX6EuR83osg 8q46170NgCMCKK3ePItJYF16SEADFKdOQs19CMTXAN7M1p4cnGk2yRG/ 68BmCg== . 86400 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY . 86400 IN RRSIG NSEC 8 0 86400 20180506050000 20180423040000 39570 . E1FeP4/GvcPksKXgas9pslduWU6+cqqSoJpgtCeymd6t7MORbnsQJdUo rjqbRtxvOOnv5g4uVZdv0krSc/eqw8HWEiCW0oZWYLcz+h8eI4htt4uv 8LciVgQn3Aspic2b8uWdPTJUPuc94esn5AJZDMK9VOTwZD2UVqbv/k9U 4LG0o56yRQshYTG2hiutFXLYmzFe2YmKct6G7W50O7s5hwxTqqRwv9av 1Q3UZUj/ZARNt9z53pygJsDPDX+L2q4lowtiHJCRPjijm8K3Bwb8uFsG 3YB20K9d3krack9c6gAMJzpgeuFQ/b2HxiZMJPvJ3tHqIhDn0U5qoZdT Xq0WTw== room. 86400 IN NSEC rs. NS DS RRSIG NSEC room. 86400 IN RRSIG NSEC 8 1 86400 20180506050000 20180423040000 39570 . Fmhf8s0yVixynVdO6VWLEctcvb7+3UK9gu+9BhUPBS0SNedhMwfyiYaR MzWU9P99gVYUT1G/vXRqbAabtD3Ccnt/ydUBguZq3pV5GL+7czeEbZ5z 8/LlS+wyw2OTe4DOKzBZ7oZAA/r/Tz2bhVA6kNyIKFXAmBXuh7I5Ty7H elbIWh7Lq7QjZwN9LL4M1kSNePH2cmS3Lu/scRf3m3fN/70sgoYzKNB7 +Hbi/YjXBbRIcj7tHA6iMoZLGPXRMJdb6NqJNIaDIDtOA95cFa4oRx2P usBW9lpXG0YY+KDm1J6UjxUP7TIn0yXt+c0vy2cz7zu++ZEkdU29WtBG dUQEaA== +. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2018042300 1800 900 604800 86400 +. 86400 IN RRSIG SOA 8 0 86400 20180506050000 20180423040000 39570 . LboVfcSRUSuBcZPpkkOO1N6KpGO6DBzOGL6UtSVUssycPzGIZctcIM0s Kb71iBf3rxFjNVlgCuNFb74WpCyRQ2coB2uUQXVA81A+P4Qb62/s3Nr2 pRGxayA1Y0Uq2M4CRkh3bjgn/cEcEFSWTl+xDVjZO8hX98JdQjYmrVui 4zEQhsMM03sqkmjkH88owibWK7HDl6O0n6Imer2hCsVTlFv7PSrBHlXP KntkIMDtbGHZW/BkKnA6P1jfAVfgXr70bRVaDRddLqJp3EX6EuR83osg 8q46170NgCMCKK3ePItJYF16SEADFKdOQs19CMTXAN7M1p4cnGk2yRG/ 68BmCg== ENTRY_END SCENARIO_END diff --git a/testdata/rpz_nsdname.rpl b/testdata/rpz_nsdname.rpl index 08ff3c2e2f5b..1c678cc13bad 100644 --- a/testdata/rpz_nsdname.rpl +++ b/testdata/rpz_nsdname.rpl @@ -348,7 +348,7 @@ ENTRY_END STEP 11 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA NXDOMAIN +REPLY QR AA RD RA NXDOMAIN SECTION QUESTION gotham.aa. IN A SECTION ANSWER diff --git a/testdata/rpz_nsip.rpl b/testdata/rpz_nsip.rpl index ac132cae0996..34dbd9fef816 100644 --- a/testdata/rpz_nsip.rpl +++ b/testdata/rpz_nsip.rpl @@ -348,7 +348,7 @@ ENTRY_END STEP 11 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA NXDOMAIN +REPLY QR AA RD RA NXDOMAIN SECTION QUESTION gotham.aa. IN A SECTION ANSWER diff --git a/testdata/rpz_signal_nxdomain_ra.rpl b/testdata/rpz_signal_nxdomain_ra.rpl new file mode 100644 index 000000000000..b89498cf9626 --- /dev/null +++ b/testdata/rpz_signal_nxdomain_ra.rpl @@ -0,0 +1,254 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + access-control: 192.0.0.0/8 allow + +rpz: + name: "rpz.example.com." + rpz-signal-nxdomain-ra: yes + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +a.a CNAME . +b.a CNAME . +ns1.a.rpz-nsdname CNAME . +24.0.0.0.192.rpz-nsip CNAME . +24.0.3.0.192.rpz-client-ip CNAME . +TEMPFILE_END + +stub-zone: + name: "a." + stub-addr: 10.20.30.40 +CONFIG_END + +SCENARIO_BEGIN Test RPZ qname trigger and signal NXDOMAIN with unset RA. + +RANGE_BEGIN 0 100 + ADDRESS 10.20.30.40 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a. IN NS +SECTION ANSWER +a. IN NS ns.a. +SECTION ADDITIONAL +ns.a IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +a.a. IN TXT "upstream txt rr a.a." +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +b.a. IN TXT +SECTION ANSWER +b.a. IN TXT "upstream txt rr b.a." +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +c.a. IN TXT +SECTION ANSWER +c.a. IN CNAME b.a +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +d.a. IN NS +SECTION ANSWER +SECTION AUTHORITY +d.a. IN NS ns1.a. +SECTION ADDITIONAL +ns1.a. IN A 10.20.30.50 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +e.a. IN NS +SECTION ANSWER +SECTION AUTHORITY +e.a. IN NS ns2.a. +SECTION ADDITIONAL +ns2.a. IN A 192.0.0.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +f.a. IN TXT +SECTION ANSWER +f.a. IN TXT "upstream txt rr f.a." +ENTRY_END + +RANGE_END + +RANGE_BEGIN 0 100 + ADDRESS 10.20.30.50 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +d.a. IN NS +SECTION ANSWER +d.a. IN NS ns1.a. +SECTION ADDITIONAL +ns1.a. IN A 10.20.30.50 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +d.d.a. IN TXT +SECTION ANSWER +d.d.a. IN TXT "upstream answer for d.d.a" +ENTRY_END + +RANGE_END + +RANGE_BEGIN 0 100 + ADDRESS 192.0.0.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +e.a. IN NS +SECTION ANSWER +e.a. IN NS ns2.a. +SECTION ADDITIONAL +ns2.a. IN A 192.0.0.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +e.e.a. IN TXT +SECTION ANSWER +e.e.a. IN TXT "upstream answer for e.e.a" +ENTRY_END + +RANGE_END + +; qname trigger +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +ENTRY_END + +; qname trigger after cname +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +c.a. IN TXT +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +c.a. IN TXT +SECTION ANSWER +c.a. IN CNAME b.a +ENTRY_END + +; nsdname trigger +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +d.d.a. IN TXT +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +d.d.a. IN TXT +SECTION ANSWER +ENTRY_END + +; nsip trigger +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +e.e.a. IN TXT +ENTRY_END + +STEP 41 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +e.e.a. IN TXT +SECTION ANSWER +ENTRY_END + +; clientip trigger +STEP 50 QUERY ADDRESS 192.0.3.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +f.a. IN TXT +ENTRY_END + +STEP 51 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA RD NXDOMAIN +SECTION QUESTION +f.a. IN TXT +SECTION ANSWER +ENTRY_END + +SCENARIO_END diff --git a/testdata/stream_ssl.tdir/stream_ssl.clie.conf b/testdata/stream_ssl.tdir/stream_ssl.clie.conf index 4643c6d554fb..923ab1fb5171 100644 --- a/testdata/stream_ssl.tdir/stream_ssl.clie.conf +++ b/testdata/stream_ssl.tdir/stream_ssl.clie.conf @@ -16,3 +16,7 @@ server: forward-zone: name: "." forward-addr: "127.0.0.1@@SERVPORT@#unbound" + +forward-zone: + name: "test.host." + forward-host: "unbound.server@@SERVPORT@#unbound" diff --git a/testdata/stream_ssl.tdir/stream_ssl.serv.conf b/testdata/stream_ssl.tdir/stream_ssl.serv.conf index c77e39fc5d59..a5dfcf364ec3 100644 --- a/testdata/stream_ssl.tdir/stream_ssl.serv.conf +++ b/testdata/stream_ssl.tdir/stream_ssl.serv.conf @@ -10,6 +10,8 @@ server: username: "" do-not-query-localhost: yes local-data: "www.example.com. IN A 10.20.30.40" + local-data: "unbound.server. IN A 127.0.0.1" + local-data: "test.host. IN A 1.2.3.4" ssl-port: @SERVPORT@ ssl-service-key: "unbound_server.key" ssl-service-pem: "unbound_server.pem" diff --git a/testdata/stream_ssl.tdir/stream_ssl.test b/testdata/stream_ssl.tdir/stream_ssl.test index b5bc2d911b62..39972a844d21 100644 --- a/testdata/stream_ssl.tdir/stream_ssl.test +++ b/testdata/stream_ssl.tdir/stream_ssl.test @@ -73,4 +73,38 @@ else exit 1 fi +rm -f outfile + +# test client unbound (no SSL towards it, but it does SSL to the SSL service) +# test that forward-host notation also works. +echo "> dig test.host. A IN" +dig @127.0.0.1 -p $CLIE_PORT test.host. >outfile 2>&1 +if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + echo "SSLSERVICE" + cat unboundserv.log + echo "SSLCLIENT" + cat unboundclie.log + echo "Not OK" + exit 1 +else + echo "exit status OK" +fi +echo "> cat logfiles" +cat outfile +echo "SSLSERVICE" +cat unboundserv.log +echo "SSLCLIENT" +cat unboundclie.log +echo "> check answer" +if grep "1.2.3.4" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + +rm -f outfile exit 0 diff --git a/testdata/test_ldnsrr.5 b/testdata/test_ldnsrr.5 index c6e7ea2ba549..2762ca82d327 100644 --- a/testdata/test_ldnsrr.5 +++ b/testdata/test_ldnsrr.5 @@ -172,3 +172,5 @@ uri.arpa. 3600 IN ZONEMD 2018100702 1 1 ( 1291b78ddf7669b1a39d014 root-servers.net. 3600000 IN ZONEMD 2018091100 1 1 ( f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a97 8a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79 ) ; from ldns issue #121, 0.10m was parsed as 0.01m. foo. 12345 IN LOC 12 45 52.333 N 105 40 33.452 W -24m 0.1m 0.1m 0.1m +; from ldns issue #147, fix #148, tab between quoted strings. +foo 12345 IN HINFO "hohum" "weirdo" diff --git a/testdata/test_ldnsrr.c5 b/testdata/test_ldnsrr.c5 index f30aa0b7357c..e86532c3433e 100644 --- a/testdata/test_ldnsrr.c5 +++ b/testdata/test_ldnsrr.c5 @@ -212,3 +212,5 @@ uri.arpa. 3600 IN ZONEMD 2018100702 1 1 1291B78DDF7669B1A39D014D87626B709B55774C root-servers.net. 3600000 IN ZONEMD 2018091100 1 1 F1CA0CCD91BD5573D9F431C00EE0101B2545C97602BE0A978A3B11DBFC1C776D5B3E86AE3D973D6B5349BA7F04340F79 03666F6F00001D00010000303900100011111182BD2D4D69530BD400988D20 foo. 12345 IN LOC 12 45 52.333 N 105 40 33.452 W -24m 0.10m 0.10m 0.10m +03666F6F00000D000100003039000D05686F68756D0677656972646F +foo. 12345 IN HINFO "hohum" "weirdo" |