From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001

From: Stephen Morris <stephen@isc.org>

Date: Thu, 5 Mar 2020 18:46:46 +0000

Subject: [PATCH] Add test for reduction in number of fetches

Add a system test that counts how many address fetches are made

for different numbers of NS records and checks that the number

are successfully limited.

(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2)

---

 bin/tests/system/resolver/clean.sh          |  4 +-

 bin/tests/system/resolver/ns4/named.conf.in |  5 ++

 bin/tests/system/resolver/ns4/root.db       |  4 +

 bin/tests/system/resolver/ns4/sourcens.db   | 89 +++++++++++++++++++++

 bin/tests/system/resolver/ns5/named.conf.in |  9 ++-

 bin/tests/system/resolver/ns6/named.conf.in | 15 ++++

 bin/tests/system/resolver/ns6/targetns.db   | 23 ++++++

 bin/tests/system/resolver/tests.sh          | 34 ++++++++

 8 files changed, 180 insertions(+), 3 deletions(-)

 create mode 100644 bin/tests/system/resolver/ns4/sourcens.db

 create mode 100644 bin/tests/system/resolver/ns6/targetns.db

diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh

index 4dfde1f3e7..b3e4bc0b5d 100644

--- a/bin/tests/system/resolver/clean.sh

+++ b/bin/tests/system/resolver/clean.sh

@@ -17,8 +17,7 @@ rm -f */named.memstats

 rm -f */named.run

 rm -f */ans.run

 rm -f */*.jdb

-rm -f dig.out dig.out.*

-rm -f dig.*.out.*

+rm -f dig.out dig.out.* dig.*.out.*

 rm -f dig.*.foo.*

 rm -f dig.*.bar.*

 rm -f dig.*.prime.*

@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db

 rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db

 rm -f ns6/dsset-ds.example.net*

 rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl

+rm -f ns6/named.stats*

 rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl

 rm -f ns7/server.db ns7/server.db.jnl

 rm -f resolve.out.*.test*

diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in

index c679dc3151..56fe5d0dd8 100644

--- a/bin/tests/system/resolver/ns4/named.conf.in

+++ b/bin/tests/system/resolver/ns4/named.conf.in

@@ -50,6 +50,11 @@ zone "broken" {

 	file "broken.db";

 };

+zone "sourcens" {

+    type master;

+    file "sourcens.db";

+};

+

 key rndc_key {

 	secret "1234abcd8765";

 	algorithm hmac-sha256;

diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db

index 721765d1be..ae541340da 100644

--- a/bin/tests/system/resolver/ns4/root.db

+++ b/bin/tests/system/resolver/ns4/root.db

@@ -24,3 +24,7 @@ example.net.		NS	ns.example.net.

 ns.example.net.		A	10.53.0.6

 no-questions.		NS	ns.no-questions.

 ns.no-questions.	A	10.53.0.8

+sourcens.		NS	ns.sourcens.

+ns.sourcens.		A	10.53.0.4

+targetns. 		NS	ns.targetns.

+ns.targetns.		A	10.53.0.6

diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db

new file mode 100644

index 0000000000..b02cc6e835

--- /dev/null

+++ b/bin/tests/system/resolver/ns4/sourcens.db

@@ -0,0 +1,89 @@

+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")

+;

+; This Source Code Form is subject to the terms of the Mozilla Public

+; License, v. 2.0. If a copy of the MPL was not distributed with this

+; file, You can obtain one at http://mozilla.org/MPL/2.0/.

+;

+; See the COPYRIGHT file distributed with this work for additional

+; information regarding copyright ownership.

+

+; This zone contains a set of delegations with varying numbers of NS

+; records.  This is used to check that BIND is limiting the number of

+; NS records it follows when resolving a delegation.  It tests all

+; numbers of NS records up to twice the number followed.

+

+$TTL 60

+@ 			IN SOA	marka.isc.org. ns.server. (

+				2010   	; serial

+				600         	; refresh

+				600         	; retry

+				1200    	; expire

+				600       	; minimum

+				)

+@			NS	ns

+ns			A	10.53.0.4

+

+target1  		NS	ns.fake11.targetns.

+

+target2  		NS	ns.fake21.targetns.

+			NS	ns.fake22.targetns.

+

+target3  		NS	ns.fake31.targetns.

+			NS	ns.fake32.targetns.

+			NS	ns.fake33.targetns.

+

+target4  		NS	ns.fake41.targetns.

+			NS	ns.fake42.targetns.

+			NS	ns.fake43.targetns.

+			NS	ns.fake44.targetns.

+

+target5  		NS	ns.fake51.targetns.

+			NS	ns.fake52.targetns.

+			NS	ns.fake53.targetns.

+			NS	ns.fake54.targetns.

+			NS	ns.fake55.targetns.

+

+target6  		NS	ns.fake61.targetns.

+			NS	ns.fake62.targetns.

+			NS	ns.fake63.targetns.

+			NS	ns.fake64.targetns.

+			NS	ns.fake65.targetns.

+			NS	ns.fake66.targetns.

+

+target7  		NS	ns.fake71.targetns.

+			NS	ns.fake72.targetns.

+			NS	ns.fake73.targetns.

+			NS	ns.fake74.targetns.

+			NS	ns.fake75.targetns.

+			NS	ns.fake76.targetns.

+			NS	ns.fake77.targetns.

+

+target8  		NS	ns.fake81.targetns.

+			NS	ns.fake82.targetns.

+			NS	ns.fake83.targetns.

+			NS	ns.fake84.targetns.

+			NS	ns.fake85.targetns.

+			NS	ns.fake86.targetns.

+			NS	ns.fake87.targetns.

+			NS	ns.fake88.targetns.

+

+target9  		NS	ns.fake91.targetns.

+			NS	ns.fake92.targetns.

+			NS	ns.fake93.targetns.

+			NS	ns.fake94.targetns.

+			NS	ns.fake95.targetns.

+			NS	ns.fake96.targetns.

+			NS	ns.fake97.targetns.

+			NS	ns.fake98.targetns.

+			NS	ns.fake99.targetns.

+

+target10  		NS	ns.fake101.targetns.

+			NS	ns.fake102.targetns.

+			NS	ns.fake103.targetns.

+			NS	ns.fake104.targetns.

+			NS	ns.fake105.targetns.

+			NS	ns.fake106.targetns.

+			NS	ns.fake107.targetns.

+			NS	ns.fake108.targetns.

+			NS	ns.fake109.targetns.

+			NS	ns.fake1010.targetns.

diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in

index 07205c9938..90818e4556 100644

--- a/bin/tests/system/resolver/ns5/named.conf.in

+++ b/bin/tests/system/resolver/ns5/named.conf.in

@@ -46,4 +46,11 @@ zone "delegation-only" {

        type delegation-only;

 };

-include "trusted.conf";

+key rndc_key {

+	secret "1234abcd8765";

+	algorithm hmac-sha256;

+};

+

+controls {

+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };

+};

diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in

index 7df48558b8..4b01f9ba14 100644

--- a/bin/tests/system/resolver/ns6/named.conf.in

+++ b/bin/tests/system/resolver/ns6/named.conf.in

@@ -22,6 +22,7 @@ options {

 	recursion no;

 	// minimal-responses yes;

 	querylog yes;

+	statistics-file "named.stats";

 	/*

 	 * test that named loads with root-delegation-only that

 	 * has a exclude list.

@@ -67,3 +68,17 @@ zone "delegation-only" {

 	type master;

 	file "delegation-only.db";

 };

+

+zone "targetns" {

+	type master;

+	file "targetns.db";

+};

+

+key rndc_key {

+	secret "1234abcd8765";

+	algorithm hmac-sha256;

+};

+

+controls {

+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };

+};

diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db

new file mode 100644

index 0000000000..036e64580b

--- /dev/null

+++ b/bin/tests/system/resolver/ns6/targetns.db

@@ -0,0 +1,23 @@

+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")

+;

+; This Source Code Form is subject to the terms of the Mozilla Public

+; License, v. 2.0. If a copy of the MPL was not distributed with this

+; file, You can obtain one at http://mozilla.org/MPL/2.0/.

+;

+; See the COPYRIGHT file distributed with this work for additional

+; information regarding copyright ownership.

+

+; In the test for checking how many NS records BIND will follow, this

+; zone marks the server as the one to which the NS lookups will be

+; directed.

+

+$TTL 300

+@ 			IN SOA	marka.isc.org. ns.server. (

+				2010   	; serial

+				600         	; refresh

+				600         	; retry

+				1200    	; expire

+				600       	; minimum

+				)

+			NS	ns

+ns			A	10.53.0.6

diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh

index 12d2819e30..178ba4d79b 100755

--- a/bin/tests/system/resolver/tests.sh

+++ b/bin/tests/system/resolver/tests.sh

@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then

     status=`expr $status + $ret`

 fi

+n=`expr $n + 1`

+echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"

+# ns5 is the recusor being tested.  ns4 holds the sourcens zone containing names with varying numbers of NS

+# records pointing to non-existent nameservers in the targetns zone on ns6.

+ret=0

+$RNDCCMD 10.53.0.5 flush || ret=1   # Ensure cache is empty before doing this test

+for nscount in 1 2 3 4 5 6 7 8 9 10

+do

+        # Verify number of NS records at source server

+        $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}

+        sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`

+        test $sourcerecs -eq $nscount || ret=1

+        test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"

+        # Expected queries = 2 * number of NS records, up to a maximum of 10.

+        expected=`expr 2 \* $nscount`

+        if [ $expected -gt 10 ]; then expected=10; fi

+        # Work out the queries made by checking statistics on the target before and after the test

+        $RNDCCMD 10.53.0.6 stats || ret=1

+        initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`

+        mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}

+        $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1

+        $RNDCCMD 10.53.0.6 stats || ret=1

+        final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`

+        mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}

+        # Check number of queries during the test is as expected

+        actual=`expr $final_count - $initial_count`

+        if [ $actual -ne $expected ]; then

+                echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"

+                ret=1

+        fi

+done

+if [ $ret != 0 ]; then echo_i "failed"; fi

+status=`expr $status + $ret`

+

 n=`expr $n + 1`

 echo_i "RT21594 regression test check setup ($n)"

 ret=0

-- 

2.21.1