From 7f73e68730db0cecea6b73685db2cb4e5006ca29 Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Mon, 29 Nov 2021 12:50:35 +0200 Subject: [PATCH] Add transport-acl system test This commit adds a new system-test: transport-acl system test. It is intended to test the new, extended syntax for ACLs, the one where port or transport protocol can be specified. Currently, it includes the tests only using allow-transfer statement, as this extended syntax is used only there, at least for now. --- bin/tests/system/Makefile.am | 1 + bin/tests/system/transport-acl/clean.sh | 22 +++ .../system/transport-acl/ns1/named.conf.in | 127 ++++++++++++++++++ .../system/transport-acl/self-signed-cert.pem | 28 ++++ .../system/transport-acl/self-signed-key.pem | 40 ++++++ bin/tests/system/transport-acl/setup.sh | 19 +++ bin/tests/system/transport-acl/tests.sh | 120 +++++++++++++++++ util/copyrights | 5 + 8 files changed, 362 insertions(+) create mode 100644 bin/tests/system/transport-acl/clean.sh create mode 100644 bin/tests/system/transport-acl/ns1/named.conf.in create mode 100644 bin/tests/system/transport-acl/self-signed-cert.pem create mode 100644 bin/tests/system/transport-acl/self-signed-key.pem create mode 100644 bin/tests/system/transport-acl/setup.sh create mode 100644 bin/tests/system/transport-acl/tests.sh diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index f47678ba59..5fe5b2d833 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -157,6 +157,7 @@ TESTS += \ synthfromdnssec \ tkey \ tools \ + transport-acl \ tsig \ tsiggss \ ttl \ diff --git a/bin/tests/system/transport-acl/clean.sh b/bin/tests/system/transport-acl/clean.sh new file mode 100644 index 0000000000..bd6739e94e --- /dev/null +++ b/bin/tests/system/transport-acl/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after zone transfer tests. +# + +rm -f ./*/named.conf +rm -f ./*/named.memstats +rm -f ./*/named.run +rm -f ./*/named.run.prev +rm -f ./dig.out.* +rm -f ./*/example.db +rm -rf ./headers.* diff --git a/bin/tests/system/transport-acl/ns1/named.conf.in b/bin/tests/system/transport-acl/ns1/named.conf.in new file mode 100644 index 0000000000..e46130f024 --- /dev/null +++ b/bin/tests/system/transport-acl/ns1/named.conf.in @@ -0,0 +1,127 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +tls self-signed { + cert-file "../self-signed-cert.pem"; + key-file "../self-signed-key.pem"; +}; + +options { + pid-file "named.pid"; + ## + # generic test + listen-on port @PORT@ { 10.53.0.1; }; + listen-on port @TLSPORT@ tls self-signed { 10.53.0.1; }; + # test #1 + listen-on port @EXTRAPORT1@ { 10.53.0.1; }; + listen-on port @EXTRAPORT1@ tls self-signed { 10.53.0.2; }; + listen-on port @EXTRAPORT2@ { 10.53.0.1; }; + listen-on port @EXTRAPORT2@ tls self-signed { 10.53.0.2; }; + # test #2 + listen-on port @EXTRAPORT1@ { 10.53.0.3; }; + listen-on port @EXTRAPORT2@ { 10.53.0.3; }; + listen-on port @EXTRAPORT1@ tls self-signed { 10.53.0.4; }; + listen-on port @EXTRAPORT2@ tls self-signed { 10.53.0.4; }; + # test #3 + listen-on port @EXTRAPORT3@ tls self-signed { 10.53.0.3; }; + listen-on port @EXTRAPORT4@ tls self-signed { 10.53.0.3; }; + listen-on port @EXTRAPORT3@ { 10.53.0.4; }; + listen-on port @EXTRAPORT4@ { 10.53.0.4; }; + # test #4 + listen-on port @EXTRAPORT1@ { 10.53.0.5; }; + listen-on port @EXTRAPORT2@ { 10.53.0.5; }; + listen-on port @EXTRAPORT1@ tls self-signed { 10.53.0.6; }; + # test #5 + listen-on port @EXTRAPORT3@ tls self-signed { 10.53.0.1; }; + listen-on port @EXTRAPORT4@ tls self-signed { 10.53.0.1; }; + listen-on port @EXTRAPORT3@ { 10.53.0.2; }; + # test #6 + listen-on port @EXTRAPORT5@ { 10.53.0.1; }; + # test #7 + listen-on port @EXTRAPORT6@ tls self-signed { 10.53.0.1; }; + # test #7 + listen-on port @EXTRAPORT7@ tls self-signed { 10.53.0.1; }; + # test #8 + listen-on port @EXTRAPORT8@ { 10.53.0.1; }; + ## + listen-on-v6 { none; }; + recursion no; + notify explicit; + statistics-file "named.stats"; + dnssec-validation yes; + tcp-initial-timeout 1200; +}; + +zone "example0" { + type primary; + file "example.db"; + allow-transfer port @TLSPORT@ transport tls { any; }; +}; + +zone "example1" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT1@ { any; }; +}; + +zone "example2" { + type primary; + file "example.db"; + allow-transfer transport tcp { any; }; +}; + +zone "example3" { + type primary; + file "example.db"; + allow-transfer transport tls { any; }; +}; + +zone "example4" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT1@ transport tcp { any; }; +}; + +zone "example5" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT3@ transport tls { any; }; +}; + +zone "example6" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT5@ transport tcp { 10.53.0.7; 10.53.0.8; 10.53.0.9; }; +}; + +zone "example7" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT6@ transport tls { 10.53.0.7; 10.53.0.8; 10.53.0.9; }; +}; + +zone "example8" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { 10.53.0.1; 10.53.0.2; 10.53.0.3; }; +}; + +zone "example9" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT8@ transport tcp { 10.53.0.7; !10.53.0.8; 10.53.0.9; }; +}; diff --git a/bin/tests/system/transport-acl/self-signed-cert.pem b/bin/tests/system/transport-acl/self-signed-cert.pem new file mode 100644 index 0000000000..d56935317f --- /dev/null +++ b/bin/tests/system/transport-acl/self-signed-cert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEwTCCAymgAwIBAgIUJm/nnhqH3omkx9PqEyewJhYg/sQwDQYJKoZIhvcNAQEL +BQAwbzELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G +A1UEBwwHS2hhcmtpdjEMMAoGA1UECgwDSVNDMQ8wDQYDVQQLDAZTVy1FbmcxFTAT +BgNVBAMMDHRlc3QuaXNjLm9yZzAgFw0yMTExMjkxMTQ0MDRaGA8yMTIxMTEzMDEx +NDQwNFowbzELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQ +MA4GA1UEBwwHS2hhcmtpdjEMMAoGA1UECgwDSVNDMQ8wDQYDVQQLDAZTVy1Fbmcx +FTATBgNVBAMMDHRlc3QuaXNjLm9yZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC +AYoCggGBAM8hzYSedQFajsjJKVnZ3BeWLOGULJO2ixQZ/vMnAk6q5a6JFST5DYVA +G84S8GKzswZibNNuKJnuuQO3mBE2+Pioc+vxtewxlzbcQ2EaKgbx5IVezzHtQUYw +WUUdSv7ViKOVeaI9jvXqpYUbbtLogSVkPB+/oWU1Wu4y/TkXc4wEqBxQx+P4kNnj +stCP7r5HMkvBqQgmod5rjqLFohtIQbEhjSBaoK+td25vWUvfG/isduiKx52tC4k3 +CBnBOIfvgkNmJk5Rh3RufbiyBSCtgBcH3wp9VSByqC7roFQqzBkZm0aCmuggNmXb +OXU7klEyVmAeiqLvfQSkjNsDmlaTsHCszgIB9RPA4f07KV62uFsdOu0K48yXBnEa +nZeIFqwuTS+PU7T+SnWQGoJLDvCa6IPERqk+5j94BET84/z942WLVqSLlqAoa1rF +5686m2Dgj10SRUpE99bmVg+HZRwO/ZbkLgu+tILqpYpnKP6n8FDpjW0Jnl77uw9S +UeAvbGyw5QIDAQABo1MwUTAdBgNVHQ4EFgQUJV5YRDD9iF+uz9AFx5fA86CtlVQw +HwYDVR0jBBgwFoAUJV5YRDD9iF+uz9AFx5fA86CtlVQwDwYDVR0TAQH/BAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAYEAi8sOMYGFs6n1C23vXorx5Zbbym5QkUVgYbxe +9VaBy0Y/PgvXaxtz8zytbtFhyU5izXNZ7k8A4vnJ/TGxoIj503ArBMZj+CiwIBVI +yMzheDp+MY4F19OIy/TsQglYeOEhK/PA9uj5GZYE1Ar6Qck4wl2vk3iaTMsaniyV +zPqCiso2YDLISSvF3nvLcTQ8nX6JyYR/3J0t5biLcissPvubgzguoULRn2VwWw/7 +MaRXXPMTBTyCAylJrSgfBKvYmJcnHHocTAZkGElDaYHfALlR+5K9wi/QYwz3kFpN +mS55yjSBlPPxH0rZw8fOdCLNbyzPjP+aXXoTUJa5/X7RNGKQTcuohektsuU1quxo +lugrRYjhiytqBUek3qtBJfmX28LnfZHyKpDpHO6wykQS7FTWb69c6tvAzlwFbH7o +onyhZz1Z2iXw4u7N4nTlj1VqHVMiEr2KUfxtOm5HQ7tZFSaWIA0HfIRB7WD3Escz +DY3Bbu9bS711Yywp+NpvOqBSvMon +-----END CERTIFICATE----- diff --git a/bin/tests/system/transport-acl/self-signed-key.pem b/bin/tests/system/transport-acl/self-signed-key.pem new file mode 100644 index 0000000000..5d9748bac7 --- /dev/null +++ b/bin/tests/system/transport-acl/self-signed-key.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQDPIc2EnnUBWo7I +ySlZ2dwXlizhlCyTtosUGf7zJwJOquWuiRUk+Q2FQBvOEvBis7MGYmzTbiiZ7rkD +t5gRNvj4qHPr8bXsMZc23ENhGioG8eSFXs8x7UFGMFlFHUr+1YijlXmiPY716qWF +G27S6IElZDwfv6FlNVruMv05F3OMBKgcUMfj+JDZ47LQj+6+RzJLwakIJqHea46i +xaIbSEGxIY0gWqCvrXdub1lL3xv4rHboisedrQuJNwgZwTiH74JDZiZOUYd0bn24 +sgUgrYAXB98KfVUgcqgu66BUKswZGZtGgproIDZl2zl1O5JRMlZgHoqi730EpIzb +A5pWk7BwrM4CAfUTwOH9OyletrhbHTrtCuPMlwZxGp2XiBasLk0vj1O0/kp1kBqC +Sw7wmuiDxEapPuY/eARE/OP8/eNli1aki5agKGtaxeevOptg4I9dEkVKRPfW5lYP +h2UcDv2W5C4LvrSC6qWKZyj+p/BQ6Y1tCZ5e+7sPUlHgL2xssOUCAwEAAQKCAYAy +VN9wy2RZKN0rUx5WNAc0QAy13+CZIDFZeBuokCESZpqbN7pImrA7YeGfyKBbC5mE +AqS5F7qL9SNGEPXFsRr8qUpJ2hk/xKke7pT84nO17k9+TRSB6EoFOThn//86Pz8N +qQO+dcDoZtVDq+/ZFiBTqrClclZQlo969C7uEZHFQ1hqUQLRlZP1LkxEO8VivUAu +gmeFkIWi23X0fZuvj3ZPCX0WkI8dQUSVND95nURZv+bBCQAKg4MbG6E/SOFovrzz +ohKK2zqSU+ncfWROYX/ulKMJKIhOKtxkprBnj2nSemTUEf5gDk9oDqsYClGmEcSL +XvNxq3WpVt4u7Fsr1QZ6fh/IYIQnKvI/H0wwYojtzkh3FGdb/K0dnKeoebUqlc9Q +4UwKGshhcbk2130t/zIdd5wnL5uj+xjh0cYSO5JqlcZwXC97SWDmEowCo8M/k8ie +c9cQeIOXUKvT3DvnEh1LAtfI8gW3g9GVHad4k25dQ4ZSiyXsKL2+mOWn+4WmQx0C +gcEA6UqykoDp2j6nfMA+5fEfNOplyXJMyTBxMoaFb+cO8P2qjjKOMyLJewXqW/3g +wWaPcl3dGVCPaqmQxf+fDEarSkDxkroN02YaQy3xdAAZvoUDc00VKq9BFe3TZEuP +7/sN3t3Ey7K5KVyKgh4cGPqSCCXrk3OPCyiRFxWa4wQAXuntT1iXkXGzXuoDPzCH +xWRiM+z3se6PdoPXMbJhuL04b4CIUmHSrGbqtO5bi6IDOksIhaKMFs4c7escSF+7 +jj0zAoHBAONLPcUT9uhzMIXe9BBdRYms65G3VjsTbS8MC/QiR6nl5/evQb0hDp0G +/tbLf9F9QVMA2onhK1mjafHFC4oVrwrLT+VZezKsQm3ICoqOFqxL+6dAu93A2dDA +99YCc6pCrmagaDpA5tz1UwBwA77pl2aMV2g7iIe2p+hmL6dx6Tp8jN+Mu0KXViyT +gPG9LITJQSu13EZgRukNnYu7+L2+NWfyGCbfCJ5/2qXmryjefoboR48sa8jZyUmQ +rf/VAG3phwKBwDE/lqD82+E5tsvMHbsXAtp93Q0AtxsFwe/DnCm6YloXgsjP/Vro +LhZtckMHPko1p3SiQgmVCyGeODTEOMQzqvda7GRoKIEHHeYurbkqSEUC+W5+yEgh +hSDm+uhCV1l26z+wG1pRGWuU4JyFVLMlOmzD7I5NJ9ZYMwDni7H+50EiKvnEHwMS +OKaByjutuAvAnEaP8N48GUcQn/4axSxlraNERAL4KaxBcazOYL8CbaIBswPbA63Q +xySmrGrO4t4tJwKBwGITmnDKv5Tn930cimXxSUsyAWgcGypcpJVTdmj+zbuDCAg5 +aH1qoTqixR38K4hCqwhc6u/p6GHCgLmhU+xelOxsdGo7pUxlRjjGw72ruB7anpk5 +9pamW5aXXZnL7wr9wPFpr+/LB5M6jHk43HTpqLnIPwMsBSrCZ0uBpHh1T7U7/zGL +MVZ3pOiRMWeeQHJ/wQ5SZ906N/7iMCQWlSuSwsq6jS9guABknP1PQC+7ag9edVpT +SaMeTpvewSYOTCQhSwKBwEmZP/Jh76G3bETPSPcIyPB0vgYmYiAftmvtwHzUL14V +dOfNbwXF6WiepSceLbw99LNpMwfRfKBGVDLRhKMqL7QR8ZKNew5AvfXVZ1yDNKu+ +/4hqFLUhsAARsfNofAzvKOtWmghVBzO9TauAyv3prFgjfvDkA+EZ2amDvXChkP/Q +7ck2aIUu9Sr4kPTUigIRlu6c18QQiLobXC7yKx6GhEpJsh9xGHHDJqkG16l+u1ju +bEd5UJArJoST5lff5y7MyQ== +-----END PRIVATE KEY----- diff --git a/bin/tests/system/transport-acl/setup.sh b/bin/tests/system/transport-acl/setup.sh new file mode 100644 index 0000000000..a54dba7732 --- /dev/null +++ b/bin/tests/system/transport-acl/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck disable=SC1091 +. ../conf.sh + +$SHELL clean.sh + +$SHELL "${TOP_SRCDIR}"/bin/tests/system/genzone.sh 2 > ns1/example.db + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/transport-acl/tests.sh b/bin/tests/system/transport-acl/tests.sh new file mode 100644 index 0000000000..339ad41c58 --- /dev/null +++ b/bin/tests/system/transport-acl/tests.sh @@ -0,0 +1,120 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck disable=SC1091 +. ../conf.sh + +dig_out_basename="dig.out.test" +testing="testing allow-transfer transport ACL functionality" + +dig_with_opts() { + # shellcheck disable=SC2086 + "$DIG" +noadd +nosea +nostat +noquest +nocmd "$@" +} + +status=0 +n=0 + +run_dig_test () { + test_message="$1" + shift + n=$((n+1)) + echo_i "$test_message ($n)" + ret=0 + dig_with_opts "$@" > "$dig_out_basename$n" || ret=1 +} + +run_dig_expect_axfr_success () { + run_dig_test "$@" + grep "; Transfer failed" "$dig_out_basename$n" > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +} + +run_dig_expect_axfr_failure () { + run_dig_test "$@" + grep "; Transfer failed" "$dig_out_basename$n" > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +} + +# generic tests +run_dig_expect_axfr_success "$testing for XoT" -p "${TLSPORT}" +tls -b 10.53.0.10 @10.53.0.1 axfr example0 + +run_dig_expect_axfr_failure "$testing XFR via TCP (failure expected)" -p "${PORT}" +tcp -b 10.53.0.10 @10.53.0.1 axfr example0 + +# 1. Test allow-transfer port X, transfer works with TCP and TLS on port X but not port Y. + +run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT1}" +tcp -b 10.53.0.10 @10.53.0.1 axfr example1 + +run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT1}" +tls -b 10.53.0.10 @10.53.0.2 axfr example1 + +run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT2}" +tcp -b 10.53.0.10 @10.53.0.1 axfr example1 + +run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT2}" +tls -b 10.53.0.10 @10.53.0.2 axfr example1 + +# 2. Test allow-transfer transport tcp, transfer works with TCP on any port but not TLS. + +run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT1}" +tcp -b 10.53.0.10 @10.53.0.3 axfr example2 + +run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT2}" +tcp -b 10.53.0.10 @10.53.0.3 axfr example2 + +run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT1}" +tls -b 10.53.0.10 @10.53.0.4 axfr example2 + +run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT2}" +tls -b 10.53.0.10 @10.53.0.4 axfr example2 + +# 3. Test allow-transfer transport tls, transfer works with TLS on any port but not TCP. +run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT3}" +tls -b 10.53.0.10 @10.53.0.3 axfr example3 + +run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT4}" +tls -b 10.53.0.10 @10.53.0.3 axfr example3 + +run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT3}" +tcp -b 10.53.0.10 @10.53.0.4 axfr example3 + +run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT4}" +tcp -b 10.53.0.10 @10.53.0.4 axfr example3 + +# 4. Test allow-transfer port X transport tcp, transfer works with TCP on port X but not port Y and not with TLS on port X. + +run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT1}" +tcp -b 10.53.0.10 @10.53.0.5 axfr example4 + +run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT2}" +tcp -b 10.53.0.10 @10.53.0.5 axfr example4 + +run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT1}" +tls -b 10.53.0.10 @10.53.0.6 axfr example4 + +# 5. Test allow-transfer port X transport tls, transfer works with TLS on port X but not port Y and not with TCP on port X. + +run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT3}" +tls -b 10.53.0.10 @10.53.0.1 axfr example5 + +run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT4}" +tls -b 10.53.0.10 @10.53.0.1 axfr example5 + +run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT3}" +tcp -b 10.53.0.10 @10.53.0.2 axfr example5 + +# 6. Test with multiple allow-transfer available, first ACL is a match. +run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT5}" +tcp -b 10.53.0.7 @10.53.0.1 axfr example6 + +run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT5}" +tcp -b 10.53.0.6 @10.53.0.1 axfr example6 + +# 7. Test with multiple allow-transfer available, last ACL is a match. +run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT6}" +tls -b 10.53.0.9 @10.53.0.1 axfr example7 + +run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT6}" +tls -b 10.53.0.6 @10.53.0.1 axfr example7 + +# 8. Test with multiple allow-transfer available, no ACL is a match. +run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT7}" +tls -b 10.53.0.7 @10.53.0.1 axfr example8 + +# 9. Test with multiple allow-transfer available, negated ACL is used. +run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT8}" +tcp -b 10.53.0.7 @10.53.0.1 axfr example9 + +run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT8}" +tcp -b 10.53.0.8 @10.53.0.1 axfr example9 + +run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT8}" +tcp -b 10.53.0.9 @10.53.0.1 axfr example9 + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/util/copyrights b/util/copyrights index 1d43fbd260..1a78494769 100644 --- a/util/copyrights +++ b/util/copyrights @@ -823,6 +823,11 @@ ./bin/tests/system/tools/clean.sh SH 2017,2018,2019,2020,2021 ./bin/tests/system/tools/setup.sh SH 2019,2020,2021 ./bin/tests/system/tools/tests.sh SH 2017,2018,2019,2020,2021 +./bin/tests/system/transport-acl/clean.sh SH 2021 +./bin/tests/system/transport-acl/self-signed-cert.pem X 2021 +./bin/tests/system/transport-acl/self-signed-key.pem X 2021 +./bin/tests/system/transport-acl/setup.sh SH 2021 +./bin/tests/system/transport-acl/tests.sh SH 2021 ./bin/tests/system/tsig/ans2/ans.pl PERL 2020,2021 ./bin/tests/system/tsig/badlocation X 2020,2021 ./bin/tests/system/tsig/badtime X 2020,2021