Skip to content
This repository was archived by the owner on Aug 13, 2025. It is now read-only.

Commit eeba1b8

Browse files
committed
Merge branch 'each-dnsrps-testlib' into 'main'
use a test library for DNSRPS See merge request isc-projects/bind9!7693
2 parents bd7f85c + a83358c commit eeba1b8

38 files changed

+4280
-431
lines changed

.gitlab-ci.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -226,6 +226,7 @@ stages:
226226
--enable-developer
227227
--enable-option-checking=fatal
228228
--enable-dnstap
229+
--enable-dnsrps
229230
--with-cmocka
230231
--with-libxml2
231232
--with-json-c

CHANGES

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,7 @@
1+
6131. [test] Add a minimal test-only library to allow testing
2+
of the DNSRPS API without FastRPZ installed.
3+
Thanks to Farsight Securty. [GL !7693]
4+
15
6130. [func] The new "delv +ns" option activates name server mode,
26
in which delv sets up an internal recursive
37
resolver and uses that, rather than an external

bin/named/config.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -149,6 +149,9 @@ options {\n\
149149
clients-per-query 10;\n\
150150
dnssec-accept-expired no;\n\
151151
dnssec-validation " VALIDATION_DEFAULT "; \n"
152+
#ifdef USE_DNSRPS
153+
" dnsrps-library \"" DNSRPS_LIBRPZ_PATH "\";\n"
154+
#endif /* ifdef USE_DNSRPS */
152155
#ifdef HAVE_DNSTAP
153156
" dnstap-identity hostname;\n"
154157
#endif /* ifdef HAVE_DNSTAP */

bin/named/include/named/server.h

Lines changed: 7 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -50,16 +50,15 @@ struct named_server {
5050
char *statsfile; /*%< Statistics file name */
5151
char *dumpfile; /*%< Dump file name */
5252
char *secrootsfile; /*%< Secroots file name */
53-
char *bindkeysfile; /*%< bind.keys file name
54-
* */
53+
char *bindkeysfile; /*%< bind.keys file name */
5554
char *recfile; /*%< Recursive file name */
56-
bool version_set; /*%< User has set version
57-
* */
55+
bool version_set; /*%< User has set version */
5856
char *version; /*%< User-specified version */
59-
bool hostname_set; /*%< User has set hostname
60-
* */
61-
char *hostname; /*%< User-specified hostname
62-
* */
57+
bool hostname_set; /*%< User has set hostname */
58+
char *hostname; /*%< User-specified hostname */
59+
#ifdef USE_DNSRPS
60+
char *dnsrpslib;
61+
#endif /* ifdef USE_DNSRPS */
6362

6463
/* Server data structures. */
6564
dns_loadmgr_t *loadmgr;

bin/named/server.c

Lines changed: 36 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -2025,7 +2025,7 @@ conf_dnsrps_sadd(conf_dnsrps_ctx_t *ctx, const char *p, ...) {
20252025
}
20262026

20272027
/*
2028-
* Get an DNSRPS configuration value using the global and view options
2028+
* Get a DNSRPS configuration value using the global and view options
20292029
* for the default. Return false upon failure.
20302030
*/
20312031
static bool
@@ -9079,6 +9079,35 @@ load_configuration(const char *filename, named_server_t *server,
90799079
server->kasplist = kasplist;
90809080
kasplist = tmpkasplist;
90819081

9082+
#ifdef USE_DNSRPS
9083+
/*
9084+
* Find the path to the DNSRPS implementation library.
9085+
*/
9086+
obj = NULL;
9087+
if (named_config_get(maps, "dnsrps-library", &obj) == ISC_R_SUCCESS) {
9088+
if (server->dnsrpslib != NULL) {
9089+
dns_dnsrps_server_destroy();
9090+
isc_mem_free(server->mctx, server->dnsrpslib);
9091+
server->dnsrpslib = NULL;
9092+
}
9093+
setstring(server, &server->dnsrpslib, cfg_obj_asstring(obj));
9094+
result = dns_dnsrps_server_create(server->dnsrpslib);
9095+
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
9096+
NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
9097+
"initializing DNSRPS RPZ provider '%s': %s",
9098+
server->dnsrpslib, isc_result_totext(result));
9099+
/*
9100+
* It's okay if librpz isn't available. We'll complain
9101+
* later if it turns out to be needed for a view with
9102+
* "dnsrps-enable yes".
9103+
*/
9104+
if (result == ISC_R_FILENOTFOUND) {
9105+
result = ISC_R_SUCCESS;
9106+
}
9107+
CHECKFATAL(result, "initializing RPZ service interface");
9108+
}
9109+
#endif /* ifdef USE_DNSRPS */
9110+
90829111
/*
90839112
* Configure the views.
90849113
*/
@@ -10135,18 +10164,13 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
1013510164
.recfile = isc_mem_strdup(mctx, "named.recursing"),
1013610165
};
1013710166

10138-
#ifdef USE_DNSRPS
10139-
CHECKFATAL(dns_dnsrps_server_create(), "initializing RPZ service "
10140-
"interface");
10141-
#endif /* ifdef USE_DNSRPS */
10142-
1014310167
/* Initialize server data structures. */
1014410168
ISC_LIST_INIT(server->kasplist);
1014510169
ISC_LIST_INIT(server->viewlist);
1014610170

1014710171
/* Must be first. */
10148-
CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing "
10149-
"DST");
10172+
CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine),
10173+
"initializing DST");
1015010174

1015110175
CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
1015210176
&server->in_roothints),
@@ -10218,6 +10242,7 @@ named_server_destroy(named_server_t **serverp) {
1021810242

1021910243
#ifdef USE_DNSRPS
1022010244
dns_dnsrps_server_destroy();
10245+
isc_mem_free(server->mctx, server->dnsrpslib);
1022110246
#endif /* ifdef USE_DNSRPS */
1022210247

1022310248
named_controls_destroy(&server->controls);
@@ -15826,7 +15851,7 @@ named_server_mkeys(named_server_t *server, isc_lex_t *lex,
1582615851
dns_view_t *view = NULL;
1582715852
dns_rdataclass_t rdclass;
1582815853
char msg[DNS_NAME_FORMATSIZE + 500] = "";
15829-
enum { NONE, STATUS, REFRESH, SYNC, DESTROY } opt = NONE;
15854+
enum { NONE, STAT, REFRESH, SYNC, DESTROY } opt = NONE;
1583015855
bool found = false;
1583115856
bool first = true;
1583215857

@@ -15845,7 +15870,7 @@ named_server_mkeys(named_server_t *server, isc_lex_t *lex,
1584515870
}
1584615871

1584715872
if (strcasecmp(cmd, "status") == 0) {
15848-
opt = STATUS;
15873+
opt = STAT;
1584915874
} else if (strcasecmp(cmd, "refresh") == 0) {
1585015875
opt = REFRESH;
1585115876
} else if (strcasecmp(cmd, "sync") == 0) {
@@ -15904,7 +15929,7 @@ named_server_mkeys(named_server_t *server, isc_lex_t *lex,
1590415929
}
1590515930
CHECK(mkey_refresh(view, text));
1590615931
break;
15907-
case STATUS:
15932+
case STAT:
1590815933
if (!first) {
1590915934
CHECK(putstr(text, "\n\n"));
1591015935
}

bin/tests/system/Makefile.am

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,17 @@ dist-hook:
1111

1212
SUBDIRS = dyndb/driver dlzexternal/driver hooks/driver
1313

14+
if DNSRPS
15+
SUBDIRS += rpz/testlib
16+
endif
17+
1418
AM_CPPFLAGS += \
15-
$(LIBISC_CFLAGS)
19+
$(LIBISC_CFLAGS) \
20+
$(LIBDNS_CFLAGS)
1621

1722
LDADD += \
18-
$(LIBISC_LIBS)
23+
$(LIBISC_LIBS) \
24+
$(LIBDNS_LIBS)
1925

2026
if HAVE_PERL
2127

@@ -48,11 +54,13 @@ pipelined_pipequeries_LDADD = \
4854

4955
rpz_dnsrps_CPPFLAGS = \
5056
$(AM_CPPFLAGS) \
51-
$(LIBDNS_CFLAGS)
57+
$(LIBDNS_CFLAGS) \
58+
-DLIBRPZ_LIB_OPEN=\"$(abs_builddir)/rpz/testlib/.libs/libdummyrpz.so\"
5259

5360
rpz_dnsrps_LDADD = \
5461
$(LDADD) \
55-
$(LIBDNS_LIBS)
62+
$(LIBDNS_LIBS) \
63+
-ldl
5664

5765
TESTS =
5866

bin/tests/system/ckdnsrps.sh

Lines changed: 7 additions & 91 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,9 @@
1414
set -e
1515

1616
# Say on stdout whether to test DNSRPS
17-
# and create dnsrps.conf and dnsrps-secondary.conf
18-
# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf
19-
# and differ from dnsrpz.conf which is used by dnsrpzd.
17+
# and creates dnsrps.conf
18+
# Note that dnsrps.conf is included in named.conf
19+
# and differs from dnsrpz.conf which is used by dnsrpzd.
2020

2121

2222
. ../conf.sh
@@ -26,15 +26,13 @@ DNSRPS_CMD=../rpz/dnsrps
2626
AS_NS=
2727
TEST_DNSRPS=
2828
MCONF=dnsrps.conf
29-
SCONF=dnsrps-secondary.conf
30-
USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]"
29+
USAGE="$0: [-xAD] [-M dnsrps.conf]"
3130
while getopts "xADM:S:" c; do
3231
case $c in
3332
x) set -x; DEBUG=-x;;
3433
A) AS_NS=yes;;
3534
D) TEST_DNSRPS=yes;;
3635
M) MCONF="$OPTARG";;
37-
S) SCONF="$OPTARG";;
3836
*) echo "$USAGE" 1>&2; exit 1;;
3937
esac
4038
done
@@ -46,11 +44,9 @@ fi
4644

4745
# erase any existing conf files
4846
cat /dev/null > $MCONF
49-
cat /dev/null > $SCONF
5047

5148
add_conf () {
5249
echo "$*" >>$MCONF
53-
echo "$*" >>$SCONF
5450
}
5551

5652
if ! $FEATURETEST --enable-dnsrps; then
@@ -82,86 +78,6 @@ else
8278
exit 0
8379
fi
8480

85-
CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf
86-
dnsrpzd-sock ../dnsrpzd.sock
87-
dnsrpzd-rpzf ../dnsrpzd.rpzf
88-
dnsrpzd-args '-dddd -L stdout'
89-
log-level 3"
90-
91-
PRIMARY="$CMN"
92-
if [ -n "$AS_NS" ]; then
93-
PRIMARY="$PRIMARY
94-
qname-as-ns yes
95-
ip-as-ns yes"
96-
fi
97-
98-
# write dnsrps settings for primary resolver
99-
cat <<EOF >>$MCONF
100-
$PRIMARY };
101-
EOF
102-
103-
# write dnsrps settings for resolvers that should not start dnsrpzd
104-
cat <<EOF >>$SCONF
105-
$CMN
106-
dnsrpzd '' }; # do not start dnsrpzd
107-
EOF
108-
109-
110-
# DNSRPS is available.
111-
# The test should fail if the license is bad.
112-
add_conf "dnsrps-enable yes;"
113-
114-
# Use alt-dnsrpzd-license.conf if it exists
115-
CUR_L=dnsrpzd-license-cur.conf
116-
ALT_L=alt-dnsrpzd-license.conf
117-
# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist
118-
[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf
119-
if [ -s $ALT_L ]; then
120-
SRC_L=$ALT_L
121-
USE_ALT=
122-
else
123-
SRC_L=../rpz/dnsrpzd-license.conf
124-
USE_ALT="## consider installing alt-dnsrpzd-license.conf"
125-
fi
126-
cp $SRC_L $CUR_L
127-
128-
# parse $CUR_L for the license zone name, primary IP addresses, and optional
129-
# transfer-source IP addresses
130-
eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\
131-
-e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \
132-
-e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \
133-
-e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \
134-
-e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \
135-
-e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
136-
-e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
137-
$CUR_L`
138-
if [ -z "$NAME" ]; then
139-
add_conf "## no DNSRPS tests; no license domain name in $SRC_L"
140-
add_conf '#fail'
141-
exit 0
142-
fi
143-
if [ -z "$IPV4" ]; then
144-
IPV4=license1.fastrpz.com
145-
TS4=
146-
fi
147-
if [ -z "$IPV6" ]; then
148-
IPV6=license1.fastrpz.com
149-
TS6=
150-
fi
151-
152-
# This TSIG key is common and NOT a secret
153-
KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1'
154-
155-
# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems
156-
if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \
157-
| grep -i "^$NAME.*TXT" >/dev/null`; then
158-
exit 0
159-
fi
160-
if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \
161-
| grep -i "^$NAME.*TXT" >/dev/null`; then
162-
exit 0
163-
fi
164-
165-
add_conf "## DNSRPS lacks a valid license via $SRC_L"
166-
[ -z "$USE_ALT" ] || add_conf "$USE_ALT"
167-
add_conf '#fail'
81+
add_conf 'dnsrps-options { log-level 3 };'
82+
add_conf 'dnsrps-enable yes;'
83+
add_conf 'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";'

bin/tests/system/rpz/.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1 @@
1-
alt-dnsrpzd-license.conf
21
dnsrps

bin/tests/system/rpz/clean.sh

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,7 @@ rm -f ns5/example.db ns5/bl.db ns5/fast-expire.db ns5/expire.conf
4040
rm -f ns8/manual-update-rpz.db
4141
rm -f */policy2.db
4242
rm -f */*.jnl
43+
rm -f dnsrps.cache dnsrps.conf
4344

4445
if [ ${PARTIAL:-unset} = unset ]; then
4546
rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
@@ -49,9 +50,7 @@ if [ ${PARTIAL:-unset} = unset ]; then
4950
rm -f ns*/named.lock
5051
rm -f ns*/named.conf
5152
rm -f ns*/*switch
52-
rm -f dnsrps*.conf
53-
rm -f dnsrpzd.conf
54-
rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid
53+
rm -f dnsrps.zones
5554
rm -f ns*/managed-keys.bind*
5655
rm -f tmp
5756
fi

0 commit comments

Comments
 (0)