4551. [test] Add system tests for integrity checks of MX and

SRV records. [RT #43953] (cherry picked from commit 750619b7a8)
2026-03-07 07:50:29 -05:00 · 2017-01-12 13:29:45 +11:00 · 2017-01-12 13:29:45 +11:00 · 7033d7027e
commit 7033d7027e
parent 0cc74d59ab
7 changed files with 282 additions and 12 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+4551.	[test]		Add system tests for integrity checks of MX and
+			SRV records. [RT #43953]
+
 4550.	[cleanup]	Increased the number of available master file
 			output style flags from 32 to 64. [RT #44043]

--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@ -76,18 +76,15 @@ SAMPLEUPDATE=$TOP/lib/samples/sample-update
 SUBDIRS="acl additional allow_query addzone autosign builtin
 	 cacheclean case checkconf @CHECKDS@ checknames checkzone
 	 @COVERAGE@ database delv digdelv dlv dlvauto dlz dlzexternal
-	 dlzredir dname dns64 dnssec dsdigest dscp
-	 ecdsa ednscompliance emptyzones
-	 fetchlimit filter-aaaa formerr forward
-         geoip glue gost ixfr inline
-         legacy limits logfileconfig lwresd
-	 masterfile masterformat metadata notify nslookup nsupdate pending
-	 @PKCS11_TEST@ reclimit redirect resolver rndc rpz rpzrecurse
-	 rrl rrchecker rrsetorder rsabigexponent
-         sit smartsign sortlist spf staticstub statistics statschannel stub
-         tcp tkey tsig tsiggss
-	 unknown upforwd verify views wildcard xfer xferquota zero
-	 zonechecks"
+	 dlzredir dname dns64 dnssec dsdigest dscp ecdsa ednscompliance
+	 emptyzones fetchlimit filter-aaaa formerr forward geoip
+	 glue gost ixfr inline integrity legacy limits logfileconfig
+	 lwresd masterfile masterformat metadata notify nslookup
+	 nsupdate pending @PKCS11_TEST@ reclimit redirect resolver
+	 rndc rpz rpzrecurse rrl rrchecker rrsetorder rsabigexponent
+	 sit smartsign sortlist spf staticstub statistics statschannel
+	 stub tcp tkey tsig tsiggss unknown upforwd verify views
+	 wildcard xfer xferquota zero zonechecks"

 # Things that are different on Windows
 KILL=kill
--- a/bin/tests/system/integrity/clean.sh
+++ b/bin/tests/system/integrity/clean.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+#
+# Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+rm -f dig.out.test*
--- a/bin/tests/system/integrity/ns1/mx-cname.db
+++ b/bin/tests/system/integrity/ns1/mx-cname.db
@ -0,0 +1,12 @@
+; Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL	3600
+@	SOA	ns1 hostmaster 0 0 0 0 0
+@	NS	ns1
+@	MX	0 cname
+ns1	A	10.53.0.1
+cname	CNAME	ns1
--- a/bin/tests/system/integrity/ns1/named.conf
+++ b/bin/tests/system/integrity/ns1/named.conf
@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+};
+
+include "../../common/controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "mx-cname-fail" {
+	type master;
+	check-integrity yes;
+	check-mx-cname fail;
+	file "mx-cname.db";
+};
+
+zone "mx-cname-warn" {
+	type master;
+	check-integrity yes;
+	check-mx-cname warn;
+	file "mx-cname.db";
+};
+
+zone "mx-cname-ignore" {
+	type master;
+	check-integrity yes;
+	check-mx-cname ignore;
+	file "mx-cname.db";
+};
+
+zone "no-mx-cname-fail" {
+	type master;
+	check-integrity no;
+	check-mx-cname fail;
+	file "mx-cname.db";
+};
+
+zone "no-mx-cname-warn" {
+	type master;
+	check-integrity no;
+	check-mx-cname warn;
+	file "mx-cname.db";
+};
+
+zone "no-mx-cname-ignore" {
+	type master;
+	check-integrity no;
+	check-mx-cname ignore;
+	file "mx-cname.db";
+};
+
+zone "srv-cname-fail" {
+	type master;
+	check-integrity yes;
+	check-srv-cname fail;
+	file "srv-cname.db";
+};
+
+zone "srv-cname-warn" {
+	type master;
+	check-integrity yes;
+	check-srv-cname warn;
+	file "srv-cname.db";
+};
+
+zone "srv-cname-ignore" {
+	type master;
+	check-integrity yes;
+	check-srv-cname ignore;
+	file "srv-cname.db";
+};
+zone "no-srv-cname-fail" {
+	type master;
+	check-integrity no;
+	check-srv-cname fail;
+	file "srv-cname.db";
+};
+
+zone "no-srv-cname-warn" {
+	type master;
+	check-integrity no;
+	check-srv-cname warn;
+	file "srv-cname.db";
+};
+
+zone "no-srv-cname-ignore" {
+	type master;
+	check-integrity no;
+	check-srv-cname ignore;
+	file "srv-cname.db";
+};
--- a/bin/tests/system/integrity/ns1/srv-cname.db
+++ b/bin/tests/system/integrity/ns1/srv-cname.db
@ -0,0 +1,12 @@
+; Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL	3600
+@	SOA	ns1 hostmaster 0 0 0 0 0
+@	NS	ns1
+@	SRV	0 0 0 cname
+ns1	A	10.53.0.1
+cname	CNAME	ns1
--- a/bin/tests/system/integrity/tests.sh
+++ b/bin/tests/system/integrity/tests.sh
@ -0,0 +1,124 @@
+#!/bin/sh
+#
+# Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=1
+
+echo "I:check that 'check-integrity yes; check-mx-cname fail;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 mx mx-cname-fail > dig.out.test$n || ret=1
+grep "status: SERVFAIL," dig.out.test$n > /dev/null || ret=1
+grep "zone mx-cname-fail/IN: mx-cname-fail/MX 'cname.mx-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity yes; check-mx-cname warn;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 mx mx-cname-warn > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone mx-cname-warn/IN: mx-cname-warn/MX 'cname.mx-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity yes; check-mx-cname ignore;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 mx mx-cname-ignore > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone mx-cname-ignore/IN: mx-cname-ignore/MX 'cname.mx-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity no; check-mx-cname fail;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 mx no-mx-cname-fail > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-mx-cname-fail/IN: no-mx-cname-fail/MX 'cname.no-mx-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity no; check-mx-cname warn;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 mx no-mx-cname-warn > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-mx-cname-warn/IN: no-mx-cname-warn/MX 'cname.no-mx-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity no; check-mx-cname ignore;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 mx no-mx-cname-ignore > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-mx-cname-ignore/IN: no-mx-cname-ignore/MX 'cname.no-mx-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity yes; check-srv-cname fail;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 srv srv-cname-fail > dig.out.test$n || ret=1
+grep "status: SERVFAIL," dig.out.test$n > /dev/null || ret=1
+grep "zone srv-cname-fail/IN: srv-cname-fail/SRV 'cname.srv-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity yes; check-srv-cname warn;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 srv srv-cname-warn > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone srv-cname-warn/IN: srv-cname-warn/SRV 'cname.srv-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity yes; check-srv-cname ignore;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 srv srv-cname-ignore > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone srv-cname-ignore/IN: srv-cname-ignore/SRV 'cname.srv-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity no; check-srv-cname fail;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 srv no-srv-cname-fail > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-srv-cname-fail/IN: no-srv-cname-fail/SRV 'cname.no-srv-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity no; check-srv-cname warn;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 srv no-srv-cname-warn > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-srv-cname-warn/IN: no-srv-cname-warn/SRV 'cname.no-srv-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'check-integrity no; check-srv-cname ignore;' works ($n)"
+ret=0
+$DIG -p 5300 @10.53.0.1 srv no-srv-cname-ignore > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-srv-cname-ignore/IN: no-srv-cname-ignore/SRV 'cname.no-srv-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+test $status -eq 0 || exit 1