README revision 9ae15880201d512667795095880032e043c7b3c3
d5b7ba26785d7494166d48876362ba30ff30b98awroweCopyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
d5b7ba26785d7494166d48876362ba30ff30b98awroweSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
d5b7ba26785d7494166d48876362ba30ff30b98awroweThese tests check RPZ recursion behavior (including skipping
aec70520ebe1e33e0d5e83c3626649d2a41dbe68wrowerecursion when appropriate).
aec70520ebe1e33e0d5e83c3626649d2a41dbe68wroweThe general structure of the tests is:
4905e59892eac216645d178e0a0e827224619c96trawick* The resolver (ns2) with an unqualified view containing the policy
4905e59892eac216645d178e0a0e827224619c96trawick zones, the response-policy statement, and a root hint zone
2dda60557ba8af00ab16c237949cb4007c10cf4bminfrin* The auth server that contains two authoritative zones, l1.l0 and
2dda60557ba8af00ab16c237949cb4007c10cf4bminfrin l2.l1.l0, both delegated to itself. l2.l1.l0 specifies a non-existent
2dda60557ba8af00ab16c237949cb4007c10cf4bminfrin zone data file and so will generate SERVFAILs for any queries to it.
2dda60557ba8af00ab16c237949cb4007c10cf4bminfrinThe l2.l1.l0 zone was chosen to generate SERVFAIL responses because RPZ
dd8ac5470937fc397c63beb3583f7379f807005aminfrinevaluation will use that error response whenever it encounters it during
dd8ac5470937fc397c63beb3583f7379f807005aminfrinprocessing, thus making it a binary indicator for whether or not
dd8ac5470937fc397c63beb3583f7379f807005aminfrinrecursion was attempted. This also allows us to not worry about having
dd8ac5470937fc397c63beb3583f7379f807005aminfrinto craft 'ip', 'nsdname', and 'nsip' rules that matched the queries.
dd8ac5470937fc397c63beb3583f7379f807005aminfrinEach test is intended to be fed a number of queries constructed as
6bdf767f10f67548501103ae10cc159dcfb2c19ftrawickqXX.l2.l1.l0, where XX is the 1-based query sequence number (e.g. the
6bdf767f10f67548501103ae10cc159dcfb2c19ftrawickfirst query of each test is q01.l2.l1.l0).
6bdf767f10f67548501103ae10cc159dcfb2c19ftrawickFor all the tests the triggers are constructed as follows:
ad451e2e428a069086d1c18c9e3372f8846ec617wroweclient-ip - match 127.0.0.1/32
ad451e2e428a069086d1c18c9e3372f8846ec617wroweip - match 255.255.255.255/32 (does not matter due to SERVFAIL)
ad451e2e428a069086d1c18c9e3372f8846ec617wrowensdname - match does.not.matter (and it doesn't)
ad451e2e428a069086d1c18c9e3372f8846ec617wrowensip - match 255.255.255.255/32 (also does not matter)
ad451e2e428a069086d1c18c9e3372f8846ec617wroweqname - match qXX.l2.l1.l0, where XX is the query sequence number that
ad451e2e428a069086d1c18c9e3372f8846ec617wroweis intended to be matched by this qname rule.
ad451e2e428a069086d1c18c9e3372f8846ec617wroweHere's the detail on the test cases:
ad451e2e428a069086d1c18c9e3372f8846ec617wroweGroup 1 - testing skipping recursion for a single policy zone with only
ad451e2e428a069086d1c18c9e3372f8846ec617wrowerecords that allow recursion to be skipped
ad451e2e428a069086d1c18c9e3372f8846ec617wrowe 1 policy zone containing 1 'client-ip' trigger
ad451e2e428a069086d1c18c9e3372f8846ec617wrowe 1 query, expected to skip recursion
ad451e2e428a069086d1c18c9e3372f8846ec617wrowe 1 policy zone containing 1 'qname' trigger (q01)
ad451e2e428a069086d1c18c9e3372f8846ec617wrowe 2 queries, q01 is expected to skip recursion, q02 is expected to
1e1e5c477f92840ffbcb8acd0003305022e5468atrawick 1 policy zone containing both a 'client-ip' and 'qname' trigger (q02)
1e1e5c477f92840ffbcb8acd0003305022e5468atrawick 1 query, expected to skip recursion
1e1e5c477f92840ffbcb8acd0003305022e5468atrawickGroup 2 - testing skipping recursion with multiple policy zones when all
c998c5be82bf2b41f8fc27de9376ba10651c74bcrederpjzones have only trigger types eligible to skip recursion with
c998c5be82bf2b41f8fc27de9376ba10651c74bcrederpj 32 policy zones, each containing 1 'qname' trigger (qNN, where NN is
c998c5be82bf2b41f8fc27de9376ba10651c74bcrederpj the zone's sequence 1-based sequence number formatted to 2 digits,
c998c5be82bf2b41f8fc27de9376ba10651c74bcrederpj so each of the first 32 queries should match a different zone)
58eb8d7cca552570577aa8b636349a695ff193datrawick 33 queries, the first 32 of which are expected to skip recursion
58eb8d7cca552570577aa8b636349a695ff193datrawick while the 33rd is expected to recurse
58eb8d7cca552570577aa8b636349a695ff193datrawickGroup 3 - Testing interaction of triggers that require recursion when in
ecf435f0c6379df7ed83285d5597fc9aa39c6f6dbrianpa single zone, both alone and with triggers that allow recursion to be
480f2a1b2fb27a8284e66e60a5bbaee6bc1ccb04trawick 1 policy zone containing 1 'ip' trigger
480f2a1b2fb27a8284e66e60a5bbaee6bc1ccb04trawick 1 query, expected to recurse
acc9093ae1f3c97acc635bd5b2c7c0969da21183trawick 1 policy zone containing 1 'nsdname' trigger
acc9093ae1f3c97acc635bd5b2c7c0969da21183trawick 1 query, expected to recurse
2fa5f4c38890220c6ea439317e7dcb9e8b3c76f7jwoolley 1 policy zone containing 1 'nsip' trigger
2fa5f4c38890220c6ea439317e7dcb9e8b3c76f7jwoolley 1 query, expected to recurse
95d00ea81131488769296fa5765ed745cbf45207trawick 1 policy zone containing 1 'ip' trigger and 1 'qname' trigger (q02)
95d00ea81131488769296fa5765ed745cbf45207trawick 2 queries, the first should not recurse and the second should recurse
95d00ea81131488769296fa5765ed745cbf45207trawick 1 policy zone containing 1 'nsdname' trigger and 1 'qname' trigger
f08574f1098defdf1dc7e7f18a1e3664ee157150rederpj 2 queries, the first should not recurse and the second should recurse
f08574f1098defdf1dc7e7f18a1e3664ee157150rederpj 1 policy zone containing 1 'nsip' trigger and 1 'qname' trigger (q02)
f08574f1098defdf1dc7e7f18a1e3664ee157150rederpj 2 queries, the first should not recurse and the second should recurse
f08574f1098defdf1dc7e7f18a1e3664ee157150rederpjGroup 4 - contains 32 subtests designed to verify that recursion is
f08574f1098defdf1dc7e7f18a1e3664ee157150rederpjskippable for only the appropriate zones based on the order specified in
f08574f1098defdf1dc7e7f18a1e3664ee157150rederpjthe 'response-policy' statement
84854ca5d35fb9f101da948858097c88457eece8coarTests 4aa to 4bf:
84854ca5d35fb9f101da948858097c88457eece8coar 32 policy zones per test, one of which is configured with 1 'ip'
84854ca5d35fb9f101da948858097c88457eece8coar trigger and one 'qname' trigger while the others are configured
30990c446eca5b0d16d42171a6b30da9456ff6b4trawick only with 1 'qname' trigger. The zone with both triggers starts
30990c446eca5b0d16d42171a6b30da9456ff6b4trawick listed first and is moved backwards by one position with each
30990c446eca5b0d16d42171a6b30da9456ff6b4trawick test. The 'qname' triggers in the zones are structured so that
0fd9de72e2a1be5a6134ee70703324be80d816b7trawick the zones are tested starting with the first zone and the 'ip'
0fd9de72e2a1be5a6134ee70703324be80d816b7trawick trigger is tested before the 'qname' trigger for that zone.
0fd9de72e2a1be5a6134ee70703324be80d816b7trawick 33 queries per test, where the number expected to skip recursion
0fd9de72e2a1be5a6134ee70703324be80d816b7trawick matches the test sequence number: e.g. 1 skip for 4aa, 26 skips
2213cc395cb461faf7bfeb187ebb61d97cd457efjerenkrantz for 4az, and 32 skips for 4bf
2213cc395cb461faf7bfeb187ebb61d97cd457efjerenkrantzGroup 5 - This test verifies that the "pivot" policy zone for whether or
854c7bc4128fa2ad9fdfe0fc307d5ef30bcb5bb9wrowenot recursion can be skipped is the first listed zone with applicable
854c7bc4128fa2ad9fdfe0fc307d5ef30bcb5bb9wrowetrigger types rather than a later listed zone.
854c7bc4128fa2ad9fdfe0fc307d5ef30bcb5bb9wrowe 5 policy zones, the 1st, 3rd, and 5th configured with 1 'qname'
854c7bc4128fa2ad9fdfe0fc307d5ef30bcb5bb9wrowe trigger each (q01, q04, and q06, respectively), the 2nd and 4th
854c7bc4128fa2ad9fdfe0fc307d5ef30bcb5bb9wrowe each configured with an 'ip' and 'qname' trigger (q02 and q05,
854c7bc4128fa2ad9fdfe0fc307d5ef30bcb5bb9wrowe respectively for the 'qname' triggers
854c7bc4128fa2ad9fdfe0fc307d5ef30bcb5bb9wrowe 6 queries, of which only q01 and q02 are expected to skip recursion