0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsCopyright (C) 2015, 2016 Internet Systems Consortium, Inc. ("ISC")

0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews

0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsThis Source Code Form is subject to the terms of the Mozilla Public

0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsLicense, v. 2.0. If a copy of the MPL was not distributed with this

0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrewsfile, You can obtain one at http://mozilla.org/MPL/2.0/.

9ae15880201d512667795095880032e043c7b3c3Tinderbox User

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanThese tests check RPZ recursion behavior (including skipping

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanrecursion when appropriate).

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanThe general structure of the tests is:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman* The resolver (ns2) with an unqualified view containing the policy

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman zones, the response-policy statement, and a root hint zone

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman* The auth server that contains two authoritative zones, l1.l0 and

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman l2.l1.l0, both delegated to itself. l2.l1.l0 specifies a non-existent

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman zone data file and so will generate SERVFAILs for any queries to it.

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanThe l2.l1.l0 zone was chosen to generate SERVFAIL responses because RPZ

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanevaluation will use that error response whenever it encounters it during

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanprocessing, thus making it a binary indicator for whether or not

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanrecursion was attempted. This also allows us to not worry about having

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanto craft 'ip', 'nsdname', and 'nsip' rules that matched the queries.

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanEach test is intended to be fed a number of queries constructed as

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanqXX.l2.l1.l0, where XX is the 1-based query sequence number (e.g. the

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanfirst query of each test is q01.l2.l1.l0).

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanFor all the tests the triggers are constructed as follows:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanclient-ip - match 127.0.0.1/32

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanip - match 255.255.255.255/32 (does not matter due to SERVFAIL)

7e6cf6fc6e700061a1cec3bcf67786706d956fc5Evan Huntnsdname - match ns.example.org (also does not matter)

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramannsip - match 255.255.255.255/32 (also does not matter)

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanqname - match qXX.l2.l1.l0, where XX is the query sequence number that

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanis intended to be matched by this qname rule.

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanHere's the detail on the test cases:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanGroup 1 - testing skipping recursion for a single policy zone with only

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanrecords that allow recursion to be skipped

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 1a:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 policy zone containing 1 'client-ip' trigger

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 query, expected to skip recursion

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 1b:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 policy zone containing 1 'qname' trigger (q01)

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 2 queries, q01 is expected to skip recursion, q02 is expected to

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman recurse

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 1c:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 policy zone containing both a 'client-ip' and 'qname' trigger (q02)

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 query, expected to skip recursion

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanGroup 2 - testing skipping recursion with multiple policy zones when all

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanzones have only trigger types eligible to skip recursion with

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 2a:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 32 policy zones, each containing 1 'qname' trigger (qNN, where NN is

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman the zone's sequence 1-based sequence number formatted to 2 digits,

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman so each of the first 32 queries should match a different zone)

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 33 queries, the first 32 of which are expected to skip recursion

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman while the 33rd is expected to recurse

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanGroup 3 - Testing interaction of triggers that require recursion when in

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramana single zone, both alone and with triggers that allow recursion to be

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanskipped

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 3a:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 policy zone containing 1 'ip' trigger

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 query, expected to recurse

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 3b:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 policy zone containing 1 'nsdname' trigger

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 query, expected to recurse

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 3c:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 policy zone containing 1 'nsip' trigger

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 query, expected to recurse

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 3d:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 policy zone containing 1 'ip' trigger and 1 'qname' trigger (q02)

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 2 queries, the first should not recurse and the second should recurse

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 3e:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 policy zone containing 1 'nsdname' trigger and 1 'qname' trigger

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman (q02)

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 2 queries, the first should not recurse and the second should recurse

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 3f:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 1 policy zone containing 1 'nsip' trigger and 1 'qname' trigger (q02)

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 2 queries, the first should not recurse and the second should recurse

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanGroup 4 - contains 32 subtests designed to verify that recursion is

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanskippable for only the appropriate zones based on the order specified in

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramanthe 'response-policy' statement

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTests 4aa to 4bf:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 32 policy zones per test, one of which is configured with 1 'ip'

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman trigger and one 'qname' trigger while the others are configured

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman only with 1 'qname' trigger. The zone with both triggers starts

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman listed first and is moved backwards by one position with each

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman test. The 'qname' triggers in the zones are structured so that

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman the zones are tested starting with the first zone and the 'ip'

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman trigger is tested before the 'qname' trigger for that zone.

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 33 queries per test, where the number expected to skip recursion

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman matches the test sequence number: e.g. 1 skip for 4aa, 26 skips

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman for 4az, and 32 skips for 4bf

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanGroup 5 - This test verifies that the "pivot" policy zone for whether or

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramannot recursion can be skipped is the first listed zone with applicable

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaramantrigger types rather than a later listed zone.

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund SivaramanTest 5a:

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 5 policy zones, the 1st, 3rd, and 5th configured with 1 'qname'

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman trigger each (q01, q04, and q06, respectively), the 2nd and 4th

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman each configured with an 'ip' and 'qname' trigger (q02 and q05,

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman respectively for the 'qname' triggers

b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman 6 queries, of which only q01 and q02 are expected to skip recursion