dns/bind9
dns/bind9
1
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9.git synced 2025-04-18 09:44:09 +03:00
Code

Reformat shell scripts with shfmt

Browse Source 
All changes in this commit were automated using the command:

  shfmt -w -i 2 -ci -bn . $(find . -name "*.sh.in")

By default, only *.sh and files without extension are checked, so
*.sh.in files have to be added additionally. (See mvdan/sh#944)
This commit is contained in:
Tom Krizek 2023-10-24 14:43:14 +02:00
parent dea544d651
commit 4cb8b13987
No known key found for this signature in database
GPG Key ID: 01623B9B652A20A7
276 changed files with 24422 additions and 23499 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
bin/tests/startperf/setup.sh
View File

@ -11,20 +11,20 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
usage () {
echo "Usage: $0 [-s] <number of zones> [<records per zone>]"
echo " -s: use the same zone file all zones"
exit 1
usage() {
echo "Usage: $0 [-s] <number of zones> [<records per zone>]"
echo " -s: use the same zone file all zones"
exit 1
}
if [ "$#" -lt 1 -o "$#" -gt 3 ]; then
usage
usage
fi
single_file=""
if [ $1 = "-s" ]; then
single_file=yes
shift
single_file=yes
shift
fi
nzones=$1
@ -35,9 +35,9 @@ nrecords=5
. ../system/conf.sh
cat << EOF
cat <<EOF
options {
directory "`pwd`";
directory "$(pwd)";
listen-on { localhost; };
listen-on-v6 { localhost; };
port 5300;
@ -58,7 +58,7 @@ controls {
logging {
channel basic {
file "`pwd`/named.log" versions 3 size 100m;
file "$(pwd)/named.log" versions 3 size 100m;
severity info;
print-time yes;
print-severity no;
@ -72,11 +72,11 @@ logging {
EOF
$PERL makenames.pl $nzones | while read zonename; do
if [ $single_file ]; then
echo "zone $zonename { type primary; file \"smallzone.db\"; };"
else
[ -d zones ] || mkdir zones
$PERL mkzonefile.pl $zonename $nrecords > zones/$zonename.db
echo "zone $zonename { type primary; file \"zones/$zonename.db\"; };"
fi
if [ $single_file ]; then
echo "zone $zonename { type primary; file \"smallzone.db\"; };"
else
[ -d zones ] || mkdir zones
$PERL mkzonefile.pl $zonename $nrecords >zones/$zonename.db
echo "zone $zonename { type primary; file \"zones/$zonename.db\"; };"
fi
done

157
bin/tests/system/acl/tests.sh
View File

@ -25,15 +25,20 @@ echo_i "testing basic ACL processing"
# key "one" should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# any other key should be fine
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
copy_setports ns2/named2.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
@ -42,19 +47,28 @@ sleep 5
# prefix 10/8 should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# any other address should work, as long as it sends key "one"
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
echo_i "testing nested ACL processing"
# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed
@ -65,43 +79,64 @@ sleep 5
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# but only one or the other should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $tt failed"
status=1
}
# and other values? right out
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
copy_setports ns2/named4.conf.in ns2/named.conf
@ -111,32 +146,47 @@ sleep 5
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.3 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.3 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
echo_i "testing allow-query-on ACL processing"
copy_setports ns2/named5.conf.in ns2/named.conf
@ -144,27 +194,30 @@ rndc_reload ns2 10.53.0.2
sleep 5
t=$((t + 1))
$DIG -p ${PORT} +tcp soa example. \
@10.53.0.2 -b 10.53.0.3 > dig.out.${t}
grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.3 >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
echo_i "testing blackhole ACL processing"
t=$((t + 1))
ret=0
$DIG -p ${PORT} +tcp soa example. \
@10.53.0.2 -b 10.53.0.3 > dig.out.1.${t}
grep "status: NOERROR" dig.out.1.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.3 >dig.out.1.${t}
grep "status: NOERROR" dig.out.1.${t} >/dev/null 2>&1 || ret=1
$DIG -p ${PORT} +tcp soa example. \
@10.53.0.2 -b 10.53.0.8 > dig.out.2.${t} && ret=1
grep "status: NOERROR" dig.out.2.${t} > /dev/null 2>&1 && ret=1
grep "communications error" dig.out.2.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.8 >dig.out.2.${t} && ret=1
grep "status: NOERROR" dig.out.2.${t} >/dev/null 2>&1 && ret=1
grep "communications error" dig.out.2.${t} >/dev/null 2>&1 || ret=1
$DIG -p ${PORT} soa example. \
@10.53.0.2 -b 10.53.0.3 > dig.out.3.${t}
grep "status: NOERROR" dig.out.3.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.3 >dig.out.3.${t}
grep "status: NOERROR" dig.out.3.${t} >/dev/null 2>&1 || ret=1
$DIG -p ${PORT} soa example. \
@10.53.0.2 -b 10.53.0.8 > dig.out.4.${t} && ret=1
grep "status: NOERROR" dig.out.4.${t} > /dev/null 2>&1 && ret=1
grep "timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1
grep ";; no servers could be reached" dig.out.4.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.8 >dig.out.4.${t} && ret=1
grep "status: NOERROR" dig.out.4.${t} >/dev/null 2>&1 && ret=1
grep "timed out" dig.out.4.${t} >/dev/null 2>&1 || ret=1
grep ";; no servers could be reached" dig.out.4.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -179,7 +232,7 @@ sleep 1
t=$((t + 1))
ret=0
echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -192,7 +245,7 @@ sleep 1
t=$((t + 1))
ret=0
echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -208,7 +261,7 @@ sleep 1
t=$((t + 1))
ret=0
echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -221,7 +274,7 @@ sleep 1
t=$((t + 1))
ret=0
echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))

486
bin/tests/system/additional/tests.sh
View File

@ -22,229 +22,245 @@ status=0
n=0
dotests() {
n=$((n + 1))
echo_i "test with RT, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with RT, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with RT, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with RT, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NAPTR, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NAPTR, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NAPTR, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NAPTR, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
case $minimal in
n=$((n + 1))
echo_i "test with LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
case $minimal in
no)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null || ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
yes)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
;;
no-auth)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
no-auth-recursive)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
esac
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NID (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NID (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NID + LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NID + LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with RT, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with RT, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with RT, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with RT, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NAPTR, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NAPTR, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NAPTR, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NAPTR, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
case $minimal in
n=$((n + 1))
echo_i "test with LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
case $minimal in
no)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null || ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
yes)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
;;
no-auth)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
no-auth-recursive)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null || ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
esac
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NID (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NID (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NID + LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NID + LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NS, root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS . @10.53.0.1 > dig.out.$n || ret=1
# Always expect glue for root priming queries, regardless $minimal
grep 'ADDITIONAL: 3' dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NS, root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS . @10.53.0.1 >dig.out.$n || ret=1
# Always expect glue for root priming queries, regardless $minimal
grep 'ADDITIONAL: 3' dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NS, non-root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1
case $minimal in
n=$((n + 1))
echo_i "test with NS, non-root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1
case $minimal in
yes)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
no)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
no-auth)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
no-auth-recursive)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
esac
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
}
echo_i "testing with 'minimal-responses yes;'"
@ -262,10 +278,11 @@ dotests
n=$((n + 1))
echo_i "testing with 'minimal-any no;' ($n)"
ret=0
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "reconfiguring server: minimal-any yes"
@ -275,28 +292,31 @@ rndc_reconfig ns1 10.53.0.1
n=$((n + 1))
echo_i "testing with 'minimal-any yes;' over UDP ($n)"
ret=0
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing with 'minimal-any yes;' over TCP ($n)"
ret=0
$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing with 'minimal-any yes;' over UDP ($n)"
ret=0
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "testing with 'minimal-responses no-auth;'"
@ -314,23 +334,25 @@ dotests
n=$((n + 1))
echo_i "testing returning TLSA records with MX query ($n)"
ret=0
$DIG $DIGOPTS -t mx mx.example @10.53.0.1 > dig.out.$n || ret=1
grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n > /dev/null || ret=1
grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1
grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t mx mx.example @10.53.0.1 >dig.out.$n || ret=1
grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n >/dev/null || ret=1
grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1
grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing returning TLSA records with SRV query ($n)"
ret=0
$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 > dig.out.$n || ret=1
grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n > /dev/null || ret=1
grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1
grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 >dig.out.$n || ret=1
grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n >/dev/null || ret=1
grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1
grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "reconfiguring server: minimal-responses no"
@ -340,39 +362,43 @@ rndc_reconfig ns1 10.53.0.1
n=$((n + 1))
echo_i "testing NS handling in ANY responses (authoritative) ($n)"
ret=0
$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing NS handling in ANY responses (recursive) ($n)"
ret=0
$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 > dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 >dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing out-of-zone additional data from auth zones (authoritative) ($n)"
ret=0
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing out-of-zone additional data from auth zones (recursive) ($n)"
ret=0
$DIG $DIGOPTS -t NS ex @10.53.0.3 > dig.out.$n || ret=1
grep "ADDITIONAL: 3" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t NS ex @10.53.0.3 >dig.out.$n || ret=1
grep "ADDITIONAL: 3" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "exit status: $status"

515
bin/tests/system/addzone/tests.sh
View File

@ -19,9 +19,9 @@ DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnss
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
check_zonestatus() (
$RNDCCMD "10.53.0.$1" zonestatus -redirect > "zonestatus.out.ns$1.$n" &&
grep "type: redirect" "zonestatus.out.ns$1.$n" > /dev/null &&
grep "serial: 1" "zonestatus.out.ns$1.$n" > /dev/null
$RNDCCMD "10.53.0.$1" zonestatus -redirect >"zonestatus.out.ns$1.$n" \
&& grep "type: redirect" "zonestatus.out.ns$1.$n" >/dev/null \
&& grep "serial: 1" "zonestatus.out.ns$1.$n" >/dev/null
)
status=0
@ -29,9 +29,9 @@ n=0
echo_i "checking normally loaded zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -40,28 +40,28 @@ status=$((status + ret))
# NZF to NZD occurs during named startup
echo_i "checking previously added zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.previous.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 a.previous.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.previous.example' dig.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if $FEATURETEST --with-lmdb; then
echo_i "checking that existing NZF file was renamed after migration ($n)"
[ -e ns2/3bf305731dd26307.nzf~ ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking that existing NZF file was renamed after migration ($n)"
[ -e ns2/3bf305731dd26307.nzf~ ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
echo_i "adding new zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'added.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
_check_adding_new_zone () (
$DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.added.example' dig.out.ns2.$n > /dev/null
_check_adding_new_zone() (
$DIG $DIGOPTS @10.53.0.2 a.added.example a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.added.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_adding_new_zone || ret=1
n=$((n + 1))
@ -71,7 +71,7 @@ status=$((status + ret))
nextpart ns2/named.run >/dev/null
echo_i "checking addzone errors are logged correctly"
ret=0
$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' >/dev/null 2>&1 || ret=1
wait_for_log_peek 20 "addzone: 'mister' unexpected" ns2/named.run || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -80,7 +80,7 @@ status=$((status + ret))
nextpart ns2/named.run >/dev/null
echo_i "checking modzone errors are logged correctly"
ret=0
$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' >/dev/null 2>&1 || ret=1
wait_for_log_peek 20 "modzone: 'mister' unexpected" ns2/named.run || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -91,9 +91,9 @@ ret=0
$RNDCCMD 10.53.0.2 addzone '"32/1.0.0.127-in-addr.added.example" {
check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
_check_zone_that_requires_quotes() (
$DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_zone_that_requires_quotes || ret=1
n=$((n + 1))
@ -104,9 +104,9 @@ echo_i "adding a zone with a quote in the name ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone '"foo\"bar.example" { check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
_check_zone_with_a_quote() (
$DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.foo\\"bar.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.foo\\"bar.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_zone_with_a_quote || ret=1
n=$((n + 1))
@ -115,30 +115,30 @@ status=$((status + ret))
echo_i "adding new zone with missing file ($n)"
ret=0
$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.pre.$n || ret=1
grep "status: REFUSED" dig.out.ns2.pre.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2> rndc.out.ns2.$n && ret=1
grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.post.$n || ret=1
grep "status: REFUSED" dig.out.ns2.post.$n > /dev/null || ret=1
$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a >dig.out.ns2.pre.$n || ret=1
grep "status: REFUSED" dig.out.ns2.pre.$n >/dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2>rndc.out.ns2.$n && ret=1
grep "file not found" rndc.out.ns2.$n >/dev/null || ret=1
$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a >dig.out.ns2.post.$n || ret=1
grep "status: REFUSED" dig.out.ns2.post.$n >/dev/null || ret=1
digcomp dig.out.ns2.pre.$n dig.out.ns2.post.$n || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if ! $FEATURETEST --with-lmdb; then
echo_i "verifying no comments in NZF file ($n)"
ret=0
hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l)
[ $hcount -eq 0 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "verifying no comments in NZF file ($n)"
ret=0
hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l)
[ $hcount -eq 0 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
echo_i "checking rndc showzone with previously added zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 showzone previous.example > rndc.out.ns2.$n
$RNDCCMD 10.53.0.2 showzone previous.example >rndc.out.ns2.$n
expected='zone "previous.example" { type primary; file "previous.db"; };'
[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1
n=$((n + 1))
@ -146,20 +146,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if $FEATURETEST --with-lmdb; then
echo_i "checking zone is present in NZD ($n)"
ret=0
$NZD2NZF ns2/_default.nzd | grep previous.example > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking zone is present in NZD ($n)"
ret=0
$NZD2NZF ns2/_default.nzd | grep previous.example >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
echo_i "deleting previously added zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone previous.example 2>&1 | sed 's/^/I:ns2 /'
_check_deleting_previously_added_zone() (
$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n &&
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
! grep '^a.previous.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.previous.example a >dig.out.ns2.$n \
&& grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \
&& ! grep '^a.previous.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_previously_added_zone || ret=1
n=$((n + 1))
@ -167,34 +167,34 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
check_nzd2nzf() (
$NZD2NZF ns2/_default.nzd > nzd2nzf.out.$n &&
! grep previous.example nzd2nzf.out.$n > /dev/null
$NZD2NZF ns2/_default.nzd >nzd2nzf.out.$n \
&& ! grep previous.example nzd2nzf.out.$n >/dev/null
)
if $FEATURETEST --with-lmdb; then
echo_i "checking zone was deleted from NZD ($n)"
retry_quiet 10 check_nzd2nzf || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking zone was deleted from NZD ($n)"
retry_quiet 10 check_nzd2nzf || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
if ! $FEATURETEST --with-lmdb; then
echo_i "checking NZF file now has comment ($n)"
ret=0
hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l)
[ $hcount -eq 1 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking NZF file now has comment ($n)"
ret=0
hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l)
[ $hcount -eq 1 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
echo_i "deleting newly added zone added.example ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone added.example 2>&1 | sed 's/^/I:ns2 /'
_check_deleting_newly_added_zone() (
$DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n &&
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
! grep '^a.added.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.added.example a >dig.out.ns2.$n \
&& grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \
&& ! grep '^a.added.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_newly_added_zone || ret=1
n=$((n + 1))
@ -205,9 +205,9 @@ echo_i "deleting newly added zone with escaped quote ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone "foo\\\"bar.example" 2>&1 | sed 's/^/I:ns2 /'
_check_deleting_newly_added_zone_quote() (
$DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n &&
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
! grep "^a.foo\"bar.example" dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a >dig.out.ns2.$n \
&& grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \
&& ! grep "^a.foo\"bar.example" dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_newly_added_zone_quote || ret=1
n=$((n + 1))
@ -216,7 +216,7 @@ status=$((status + ret))
echo_i "checking rndc showzone with a normally-loaded zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 showzone normal.example > rndc.out.ns2.$n
$RNDCCMD 10.53.0.2 showzone normal.example >rndc.out.ns2.$n
expected='zone "normal.example" { type primary; file "normal.db"; };'
[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1
n=$((n + 1))
@ -225,7 +225,7 @@ status=$((status + ret))
echo_i "checking rndc showzone with a normally-loaded zone with trailing dot ($n)"
ret=0
$RNDCCMD 10.53.0.2 showzone finaldot.example > rndc.out.ns2.$n
$RNDCCMD 10.53.0.2 showzone finaldot.example >rndc.out.ns2.$n
expected='zone "finaldot.example." { type primary; file "normal.db"; };'
[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1
n=$((n + 1))
@ -234,7 +234,7 @@ status=$((status + ret))
echo_i "checking rndc showzone with a normally-loaded redirect zone ($n)"
ret=0
$RNDCCMD 10.53.0.1 showzone -redirect > rndc.out.ns1.$n
$RNDCCMD 10.53.0.1 showzone -redirect >rndc.out.ns1.$n
expected='zone "." { type redirect; file "redirect.db"; };'
[ "$(cat rndc.out.ns1.$n)" = "$expected" ] || ret=1
n=$((n + 1))
@ -243,9 +243,9 @@ status=$((status + ret))
echo_i "checking rndc zonestatus with a normally-loaded redirect zone ($n)"
ret=0
$RNDCCMD 10.53.0.1 zonestatus -redirect > rndc.out.ns1.$n
grep "type: redirect" rndc.out.ns1.$n > /dev/null || ret=1
grep "serial: 0" rndc.out.ns1.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.1 zonestatus -redirect >rndc.out.ns1.$n
grep "type: redirect" rndc.out.ns1.$n >/dev/null || ret=1
grep "serial: 0" rndc.out.ns1.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -254,7 +254,7 @@ echo_i "checking rndc reload with a normally-loaded redirect zone ($n)"
ret=0
sleep 1
cp -f ns1/redirect.db.2 ns1/redirect.db
$RNDCCMD 10.53.0.1 reload -redirect > rndc.out.ns1.$n
$RNDCCMD 10.53.0.1 reload -redirect >rndc.out.ns1.$n
retry_quiet 5 check_zonestatus 1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -262,13 +262,13 @@ status=$((status + ret))
echo_i "delete a normally-loaded zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone normal.example > rndc.out.ns2.$n 2>&1
grep "is no longer active and will be deleted" rndc.out.ns2.$n > /dev/null || ret=11
grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n > /dev/null || ret=1
grep "must also be removed from named.conf." rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 delzone normal.example >rndc.out.ns2.$n 2>&1
grep "is no longer active and will be deleted" rndc.out.ns2.$n >/dev/null || ret=11
grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n >/dev/null || ret=1
grep "must also be removed from named.conf." rndc.out.ns2.$n >/dev/null || ret=1
_check_delete_normally_loaded_zone() (
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n &&
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.normal.example a >dig.out.ns2.$n \
&& grep 'status: REFUSED' dig.out.ns2.$n >/dev/null
)
retry_quiet 5 _check_delete_normally_loaded_zone || ret=1
@ -279,9 +279,9 @@ status=$((status + ret))
echo_i "attempting to add primary zone with inline signing ($n)"
$RNDCCMD 10.53.0.2 addzone 'inline.example { type primary; file "inline.db"; dnssec-policy default; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /'
_check_add_primary_zone_with_inline() (
$DIG $DIGOPTS @10.53.0.2 a.inline.example a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.inline.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.inline.example a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.inline.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 5 _check_add_primary_zone_with_inline || ret=1
n=$((n + 1))
@ -290,8 +290,8 @@ status=$((status + ret))
echo_i "attempting to add primary zone with inline signing and missing file ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; dnssec-policy default; inline-signing yes; };' 2> rndc.out.ns2.$n && ret=1
grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; dnssec-policy default; inline-signing yes; };' 2>rndc.out.ns2.$n && ret=1
grep "file not found" rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -299,9 +299,9 @@ status=$((status + ret))
echo_i "attempting to add secondary zone with inline signing ($n)"
$RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; dnssec-policy default; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /'
_check_add_secondary_with_inline() (
$DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.inlinesec.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 5 _check_add_secondary_with_inline || ret=1
n=$((n + 1))
@ -311,14 +311,16 @@ status=$((status + ret))
echo_i "attempting to delete secondary zone with inline signing ($n)"
ret=0
retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1
$RNDCCMD 10.53.0.2 delzone inlinesec.example > rndc.out2.test$n 2>&1 || ret=1
test -f inlinesec.bk ||
grep '^inlinesec.bk$' rndc.out2.test$n > /dev/null || {
echo_i "failed to report inlinesec.bk"; ret=1;
$RNDCCMD 10.53.0.2 delzone inlinesec.example >rndc.out2.test$n 2>&1 || ret=1
test -f inlinesec.bk \
|| grep '^inlinesec.bk$' rndc.out2.test$n >/dev/null || {
echo_i "failed to report inlinesec.bk"
ret=1
}
test ! -f inlinesec.bk.signed ||
grep '^inlinesec.bk.signed$' rndc.out2.test$n > /dev/null || {
echo_i "failed to report inlinesec.bk.signed"; ret=1;
test ! -f inlinesec.bk.signed \
|| grep '^inlinesec.bk.signed$' rndc.out2.test$n >/dev/null || {
echo_i "failed to report inlinesec.bk.signed"
ret=1
}
n=$((n + 1))
status=$((status + ret))
@ -326,9 +328,9 @@ status=$((status + ret))
echo_i "restoring secondary zone with inline signing ($n)"
$RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; dnssec-policy default; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /'
_check_restoring_secondary_with_inline() (
$DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.inlinesec.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 5 _check_restoring_secondary_with_inline || ret=1
n=$((n + 1))
@ -338,7 +340,7 @@ status=$((status + ret))
echo_i "deleting secondary zone with automatic zone file removal ($n)"
ret=0
retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1
$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example > /dev/null 2>&1
$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example >/dev/null 2>&1
retry_quiet 10 test ! -f ns2/inlinesec.bk.signed -a ! -f ns2/inlinesec.bk
n=$((n + 1))
status=$((status + ret))
@ -346,38 +348,38 @@ status=$((status + ret))
echo_i "modifying zone configuration ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'mod.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/ns2 /' | cat_i
$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.1.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns >dig.out.ns2.1.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1
$RNDCCMD 10.53.0.2 modzone 'mod.example { type primary; file "added.db"; allow-query { none; }; };' 2>&1 | sed 's/^/ns2 /' | cat_i
$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.2.$n || ret=1
$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' > /dev/null 2>&1 || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns >dig.out.ns2.2.$n || ret=1
$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' >/dev/null 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that adding a 'stub' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' >rndc.out.ns2.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that adding a 'static-stub' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' >rndc.out.ns2.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that adding a 'primary redirect' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' >rndc.out.ns2.$n 2>&1 || ret=1
_check_add_primary_redirect() (
$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 &&
grep "type redirect;" showzone.out.ns2.$n > /dev/null &&
$RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 &&
grep "type: redirect" zonestatus.out.ns2.$n > /dev/null &&
grep "serial: 0" zonestatus.out.ns2.$n > /dev/null
$RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 \
&& grep "type redirect;" showzone.out.ns2.$n >/dev/null \
&& $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \
&& grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \
&& grep "serial: 0" zonestatus.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_add_primary_redirect || ret=1
n=$((n + 1))
@ -388,7 +390,7 @@ echo_i "check that reloading a added 'primary redirect' zone works ($n)"
ret=0
sleep 1
cp -f ns2/redirect.db.2 ns2/redirect.db
$RNDCCMD 10.53.0.2 reload -redirect > rndc.out.ns2.$n
$RNDCCMD 10.53.0.2 reload -redirect >rndc.out.ns2.$n
retry_quiet 10 check_zonestatus 2 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -396,17 +398,17 @@ status=$((status + ret))
echo_i "check that retransfer of a added 'primary redirect' zone fails ($n)"
ret=0
$RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && ret=1
$RNDCCMD 10.53.0.2 retransfer -redirect >rndc.out.ns2.$n 2>&1 && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that deleting a 'primary redirect' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 delzone -redirect >rndc.out.ns2.$n 2>&1 || ret=1
_check_deleting_primary_redirect() (
$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true
grep 'not found' showzone.out.ns2.$n > /dev/null
$RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 || true
grep 'not found' showzone.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_primary_redirect || ret=1
n=$((n + 1))
@ -415,13 +417,13 @@ status=$((status + ret))
echo_i "check that adding a 'secondary redirect' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' >rndc.out.ns2.$n 2>&1 || ret=1
_check_adding_secondary_redirect() (
$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 &&
grep "type redirect;" showzone.out.ns2.$n > /dev/null &&
$RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 &&
grep "type: redirect" zonestatus.out.ns2.$n > /dev/null &&
grep "serial: 0" zonestatus.out.ns2.$n > /dev/null
$RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 \
&& grep "type redirect;" showzone.out.ns2.$n >/dev/null \
&& $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \
&& grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \
&& grep "serial: 0" zonestatus.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_adding_secondary_redirect || ret=1
n=$((n + 1))
@ -431,12 +433,12 @@ status=$((status + ret))
echo_i "check that retransfering a added 'secondary redirect' zone works ($n)"
ret=0
cp -f ns3/redirect.db.2 ns3/redirect.db
$RNDCCMD 10.53.0.3 reload . > showzone.out.ns3.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.3 reload . >showzone.out.ns3.$n 2>&1 || ret=1
_check_retransfering_secondary_redirect() (
$RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 &&
$RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 &&
grep "type: redirect" zonestatus.out.ns2.$n > /dev/null &&
grep "serial: 1" zonestatus.out.ns2.$n > /dev/null
$RNDCCMD 10.53.0.2 retransfer -redirect >rndc.out.ns2.$n 2>&1 \
&& $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \
&& grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \
&& grep "serial: 1" zonestatus.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_retransfering_secondary_redirect || ret=1
n=$((n + 1))
@ -445,10 +447,10 @@ status=$((status + ret))
echo_i "check that deleting a 'secondary redirect' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 delzone -redirect >rndc.out.ns2.$n 2>&1 || ret=1
_check_deleting_secondary_redirect() (
$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true
grep 'not found' showzone.out.ns2.$n > /dev/null
$RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 || true
grep 'not found' showzone.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_secondary_redirect || ret=1
n=$((n + 1))
@ -457,24 +459,24 @@ status=$((status + ret))
echo_i "check that zone type 'hint' is properly rejected ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' > rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' >rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that zone type 'forward' is properly rejected ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' > rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' >rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that 'in-view' zones are properly rejected ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' >rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -492,48 +494,48 @@ echo_i "adding new zone to external view ($n)"
# the zone does not exist because a) it has not yet been loaded, b)
# it failed to load, or c) it has been deleted.
ret=0
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.intpre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.intpre.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.extpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.extpre.$n >/dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1
grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null || ret=1
grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if ! $FEATURETEST --with-lmdb; then
echo_i "checking new NZF file has comment ($n)"
ret=0
hcount=$(grep "^# New zone file for view: external" ns2/external.nzf | wc -l)
[ $hcount -eq 1 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking new NZF file has comment ($n)"
ret=0
hcount=$(grep "^# New zone file for view: external" ns2/external.nzf | wc -l)
[ $hcount -eq 1 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
if $FEATURETEST --with-lmdb; then
echo_i "verifying added.example in external view created an external.nzd DB ($n)"
ret=0
[ -e ns2/external.nzd ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "verifying added.example in external view created an external.nzd DB ($n)"
ret=0
[ -e ns2/external.nzd ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
echo_i "checking rndc reload causes named to reload the external view's new zone config ($n)"
ret=0
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
_check_rndc_reload_external_view_config() (
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n &&
grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null &&
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n &&
grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null &&
grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n \
&& grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null \
&& $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n \
&& grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null \
&& grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null
)
retry_quiet 10 _check_rndc_reload_external_view_config || ret=1
n=$((n + 1))
@ -542,15 +544,15 @@ status=$((status + ret))
echo_i "checking rndc showzone with newly added zone ($n)"
_check_rndc_showzone_newly_added() (
if ! $FEATURETEST --with-lmdb; then
expected='zone "added.example" in external { type primary; file "added.db"; };'
else
expected='zone "added.example" { type primary; file "added.db"; };'
fi
$RNDCCMD 10.53.0.2 showzone added.example in external > rndc.out.ns2.$n 2>/dev/null &&
[ "$(cat rndc.out.ns2.$n)" = "$expected" ]
if ! $FEATURETEST --with-lmdb; then
expected='zone "added.example" in external { type primary; file "added.db"; };'
else
expected='zone "added.example" { type primary; file "added.db"; };'
fi
$RNDCCMD 10.53.0.2 showzone added.example in external >rndc.out.ns2.$n 2>/dev/null \
&& [ "$(cat rndc.out.ns2.$n)" = "$expected" ]
)
retry_quiet 10 _check_rndc_showzone_newly_added || ret=1
retry_quiet 10 _check_rndc_showzone_newly_added || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -559,9 +561,9 @@ echo_i "deleting newly added zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /'
_check_deleting_newly_added_zone() (
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n &&
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
! grep '^a.added.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.$n \
&& grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \
&& ! grep '^a.added.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_newly_added_zone || ret=1
n=$((n + 1))
@ -570,22 +572,22 @@ status=$((status + ret))
echo_i "attempting to add zone to internal view ($n)"
ret=0
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.pre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.pre.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2> rndc.out.ns2.$n && ret=1
grep "permission denied" rndc.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.pre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.pre.$n >/dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2>rndc.out.ns2.$n && ret=1
grep "permission denied" rndc.out.ns2.$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.ext.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "attempting to delete a policy zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2> rndc.out.ns2.$n >&1 && ret=1
grep 'cannot be deleted' rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2>rndc.out.ns2.$n >&1 && ret=1
grep 'cannot be deleted' rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -594,11 +596,11 @@ echo_i "adding new zone again to external view ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
_check_adding_new_zone_again_external() (
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n &&
grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null &&
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n &&
grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null &&
grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n \
&& grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null \
&& $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n \
&& grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null \
&& grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null
)
retry_quiet 10 _check_adding_new_zone_again_external || ret=1
n=$((n + 1))
@ -612,9 +614,9 @@ rndc_reconfig ns2 10.53.0.2
echo_i "checking new zone is still loaded after dir change ($n)"
ret=0
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1
grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null || ret=1
grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -622,39 +624,39 @@ status=$((status + ret))
echo_i "deleting newly added zone from external ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /'
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.added.example' dig.out.ns2.$n >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "adding new zone to directory view ($n)"
ret=0
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dirpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.dirpre.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.intpre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.intpre.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.extpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.extpre.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.dirpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.dirpre.$n >/dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'added.example in directory { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dir.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.dir.$n > /dev/null || ret=1
grep '^a.added.example' dig.out.ns2.dir.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.ext.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.dir.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.dir.$n >/dev/null || ret=1
grep '^a.added.example' dig.out.ns2.dir.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if $FEATURETEST --with-lmdb; then
echo_i "checking NZD file was created in new-zones-directory ($n)"
expect=ns2/new-zones/directory.nzd
echo_i "checking NZD file was created in new-zones-directory ($n)"
expect=ns2/new-zones/directory.nzd
else
echo_i "checking NZF file was created in new-zones-directory ($n)"
expect=ns2/new-zones/directory.nzf
echo_i "checking NZF file was created in new-zones-directory ($n)"
expect=ns2/new-zones/directory.nzf
fi
$RNDCCMD 10.53.0.2 sync 'added.example IN directory' 2>&1 | sed 's/^/I:ns2 /'
sleep 2
@ -666,9 +668,9 @@ status=$((status + ret))
echo_i "deleting newly added zone from directory ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone 'added.example in directory' 2>&1 | sed 's/^/I:ns2 /'
$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.added.example' dig.out.ns2.$n >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -676,70 +678,69 @@ status=$((status + ret))
echo_i "ensure the configuration context is cleaned up correctly ($n)"
ret=0
rndc_reconfig ns2 10.53.0.2
$RNDCCMD 10.53.0.2 status > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.2 status >/dev/null 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check delzone after reconfig failure ($n)"
ret=0
$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' >/dev/null 2>&1 || ret=1
copy_setports ns3/named2.conf.in ns3/named.conf
rndc_reconfig ns3 10.53.0.3
$RNDCCMD 10.53.0.3 delzone inlinesec.example > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 delzone inlinesec.example >/dev/null 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if ! $FEATURETEST --with-lmdb
then
echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)"
ret=0
$RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' > /dev/null 2>&1 && ret=1
$RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 delzone "test3.baz" > /dev/null 2>&1 || ret=1
grep test2.baz ns3/_default.nzf > /dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if ! $FEATURETEST --with-lmdb; then
echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)"
ret=0
$RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' >/dev/null 2>&1 && ret=1
$RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 delzone "test3.baz" >/dev/null 2>&1 || ret=1
grep test2.baz ns3/_default.nzf >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
_check_version_bind() (
$DIG $DIGOPTS @10.53.0.3 version.bind txt ch > dig.out.test$n &&
grep "status: NOERROR" dig.out.test$n > /dev/null
$DIG $DIGOPTS @10.53.0.3 version.bind txt ch >dig.out.test$n \
&& grep "status: NOERROR" dig.out.test$n >/dev/null
)
echo_i "check that named restarts with multiple added zones ($n)"
ret=0
$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1
stop_server ns3
start_server --noclean --restart --port ${PORT} ns3 || ret=1
retry_quiet 10 _check_version_bind || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" > dig.out.1.test$n || ret=1
grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.1.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" > dig.out.2.test$n || ret=1
grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' > dig.out.3.test$n || ret=1
grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.3.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' > dig.out.4.test$n || ret=1
grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.4.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' > dig.out.5.test$n || ret=1
grep "status: NOERROR" dig.out.5.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.5.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' > dig.out.6.test$n || ret=1
grep "status: NOERROR" dig.out.6.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.6.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" >dig.out.1.test$n || ret=1
grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.1.test$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" >dig.out.2.test$n || ret=1
grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.2.test$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' >dig.out.3.test$n || ret=1
grep "status: NOERROR" dig.out.3.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.3.test$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' >dig.out.4.test$n || ret=1
grep "status: NOERROR" dig.out.4.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.4.test$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' >dig.out.5.test$n || ret=1
grep "status: NOERROR" dig.out.5.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.5.test$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' >dig.out.6.test$n || ret=1
grep "status: NOERROR" dig.out.6.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.6.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))

6
bin/tests/system/allow-query/setup.sh
View File

@ -14,6 +14,6 @@
. ../conf.sh
copy_setports ../_common/controls.conf.in ns2/controls.conf
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named01.conf.in ns2/named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named01.conf.in ns2/named.conf
copy_setports ns3/named1.conf.in ns3/named.conf

419
bin/tests/system/allow-query/tests.sh
View File

@ -61,15 +61,15 @@ DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnss
status=0
n=0
nextpart ns2/named.run > /dev/null
nextpart ns2/named.run >/dev/null
# Test 1 - default, query allowed
n=$((n + 1))
echo_i "test $n: default - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -80,9 +80,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: explicit any - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -93,11 +93,11 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: none - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
nextpart ns2/named.run | grep 'recursion not enabled for view' > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
nextpart ns2/named.run | grep 'recursion not enabled for view' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -106,10 +106,10 @@ DIGNOEDNS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +no
echo_i "test $n: none - query refused (no edns)"
ret=0
$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null && ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null && ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -120,9 +120,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: address allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -133,10 +133,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: address not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -147,10 +147,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: address disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -161,9 +161,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: acl allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -174,14 +174,13 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: acl not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# Test 9 - acl disallowed, query refused
n=$((n + 1))
copy_setports ns2/named09.conf.in ns2/named.conf
@ -189,10 +188,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: acl disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -203,9 +202,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -216,10 +215,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -230,10 +229,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -247,9 +246,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views default - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -260,9 +259,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views explicit any - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -273,10 +272,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views none - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -287,9 +286,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views address allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -300,10 +299,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views address not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -314,10 +313,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views address disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -328,9 +327,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views acl allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -341,10 +340,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views acl not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -355,10 +354,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views acl disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -369,9 +368,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -382,10 +381,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -396,10 +395,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -410,9 +409,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views allow - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -423,10 +422,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views disallow - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -441,9 +440,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: zone default - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -451,9 +450,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone explicit any - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.any.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -461,10 +460,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone none - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.none.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -472,9 +471,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone address allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.addrallow.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -482,10 +481,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone address not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.addrnotallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -493,10 +492,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone address disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.addrdisallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -504,9 +503,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone acl allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.aclallow.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -514,10 +513,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone acl not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -525,10 +524,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone acl disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.acldisallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -536,9 +535,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone key allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keyallow.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -546,10 +545,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone key not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.keyallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -557,10 +556,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone key disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keydisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keydisallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -571,9 +570,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views allow - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -584,10 +583,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views disallow - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -598,9 +597,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: zones over views, views allow - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -611,10 +610,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: zones over views, views disallow - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -625,13 +624,13 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: zones over views, allow-query-on"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n > /dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.1.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.1.$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n >/dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -639,13 +638,13 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: default allow-recursion configuration"
ret=0
nextpart ns3/named.run > /dev/null
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1
nextpart ns3/named.run >/dev/null
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a >dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a >dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -653,12 +652,12 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: default allow-query-cache configuration"
ret=0
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . >dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . >dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -670,14 +669,14 @@ rndc_reload ns3 10.53.0.3
echo_i "test $n: block recursion-on, allow query-cache-on"
ret=0
# this should query the cache, and an answer should already be there
$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1
grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1
grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
# this should require recursion and therefore can't get an answer
$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 b.normal.example a >dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'ANSWER: 0' dig.out.ns3.2.$n >/dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -689,22 +688,22 @@ rndc_reload ns3 10.53.0.3
echo_i "test $n: inheritance of allow-query-cache-on"
ret=0
# this should query the cache, an answer should already be there
$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
# this should be refused due to allow-recursion-on/allow-query-cache-on
$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
# this should require recursion and should be allowed
$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 c.normal.example a >dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1
# this should require recursion and be refused
$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 d.normal.example a >dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -716,22 +715,22 @@ rndc_reload ns3 10.53.0.3
echo_i "test $n: inheritance of allow-recursion-on"
ret=0
# this should query the cache, an answer should already be there
$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
# this should be refused due to allow-recursion-on/allow-query-cache-on
$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
# this should require recursion and should be allowed
$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1
# this should require recursion and be refused
$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))

142
bin/tests/system/auth/tests.sh
View File

@ -22,13 +22,11 @@ n=0
n=$((n + 1))
echo_i "wait for zones to finish transferring to ns2 ($n)"
for i in 1 2 3 4 5 6 7 8 9 10
do
for i in 1 2 3 4 5 6 7 8 9 10; do
ret=0
for zone in example.com example.net
do
$DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
for zone in example.com example.net; do
$DIG $DIGOPTS @10.53.0.2 soa $zone >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
done
[ $ret -eq 0 ] && break
sleep 1
@ -43,44 +41,44 @@ status=$((status + ret))
n=$((n + 1))
echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +norec @10.53.0.1 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +rec @10.53.0.1 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +norec @10.53.0.2 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -90,100 +88,100 @@ status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1
grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that CHAOS addresses are compared correctly ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n
lines=$(wc -l < dig.out.test$n)
$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos >dig.out.test$n
lines=$(wc -l <dig.out.test$n)
[ ${lines:-0} -eq 2 ] || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))

28
bin/tests/system/autosign/ns1/keygen.sh
View File

@ -17,9 +17,9 @@ zone=.
zonefile=root.db
infile=root.db.in
(cd ../ns2 && $SHELL keygen.sh )
(cd ../ns2 && $SHELL keygen.sh)
cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. > $zonefile
cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. >$zonefile
zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
@ -34,22 +34,22 @@ rm $zsknopriv.private
ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now -fk $zone)
kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now -fk $zone)
keyfile_to_static_ds $ksksby > trusted.conf
keyfile_to_static_ds $ksksby >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
keyfile_to_static_ds $kskrev > trusted.conf
keyfile_to_static_ds $kskrev >trusted.conf
cp trusted.conf ../ns5/trusted.conf
echo $zskact > ../active.key
echo $zskvanish > ../vanishing.key
echo $zskdel > ../del.key
echo $zskinact > ../inact.key
echo $zskunpub > ../unpub.key
echo $zsknopriv > ../nopriv.key
echo $zsksby > ../standby.key
echo $zskactnowpub1d > ../activate-now-publish-1day.key
$REVOKE -R $kskrev > ../rev.key
echo $zskact >../active.key
echo $zskvanish >../vanishing.key
echo $zskdel >../del.key
echo $zskinact >../inact.key
echo $zskunpub >../unpub.key
echo $zsknopriv >../nopriv.key
echo $zsksby >../standby.key
echo $zskactnowpub1d >../activate-now-publish-1day.key
$REVOKE -R $kskrev >../rev.key
$SIGNER -S -o . -O full root.db > signing.out 2>&1
$SIGNER -S -o . -O full root.db >signing.out 2>&1

36
bin/tests/system/autosign/ns2/keygen.sh
View File

@ -14,55 +14,53 @@
. ../../conf.sh
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && $SHELL keygen.sh )
(cd ../ns3 && $SHELL keygen.sh)
for subdomain in secure nsec3 optout rsasha256 rsasha512 \
nsec3-to-nsec oldsigs dname-at-apex-nsec3
do
cp ../ns3/dsset-$subdomain.example. .
nsec3-to-nsec oldsigs dname-at-apex-nsec3; do
cp ../ns3/dsset-$subdomain.example. .
done
# Create keys and pass the DS to the parent.
zone=example
zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile dsset-*.example. > $zonefile
cat $infile dsset-*.example. >$zonefile
kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
$DSFROMKEY $kskname.key > dsset-${zone}.
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
$DSFROMKEY $kskname.key >dsset-${zone}.
# Create keys for a private secure zone.
zone=private.secure.example
zonefile="${zone}.db"
infile="${zonefile}.in"
ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
keyfile_to_static_ds $ksk > private.conf
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
keyfile_to_static_ds $ksk >private.conf
cp private.conf ../ns4/private.conf
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > signing.privsec.out 2>&1
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >signing.privsec.out 2>&1
# Extract saved keys for the revoke-to-duplicate-key test
zone=bar
zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile > $zonefile
cat $infile >$zonefile
for i in Xbar.+013+59973.key Xbar.+013+59973.private \
Xbar.+013+60101.key Xbar.+013+60101.private
do
cp $i $(echo $i | sed s/X/K/)
Xbar.+013+60101.key Xbar.+013+60101.private; do
cp $i $(echo $i | sed s/X/K/)
done
$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
$DSFROMKEY Kbar.+013+60101.key > dsset-bar.
$SIGNER -S -o bar. -O full $zonefile > signing.bar.out 2>&1
$KEYGEN -a ECDSAP256SHA256 -q $zone >/dev/null
$DSFROMKEY Kbar.+013+60101.key >dsset-bar.
$SIGNER -S -o bar. -O full $zonefile >signing.bar.out 2>&1
# a zone with empty non-terminals.
zone=optout-with-ent
zonefile=optout-with-ent.db
infile=optout-with-ent.db.in
cat $infile > $zonefile
cat $infile >$zonefile
kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
# Copy zone input files
cp child.nsec3.example.db.in child.nsec3.example.db

248
bin/tests/system/autosign/ns3/keygen.sh
View File

@ -15,45 +15,45 @@
SYSTESTDIR=autosign
dumpit () {
echo_d "${debug}: dumping ${1}"
cat "${1}" | cat_d
dumpit() {
echo_d "${debug}: dumping ${1}"
cat "${1}" | cat_d
}
setup () {
echo_i "setting up zone: $1"
debug="$1"
zone="$1"
zonefile="${zone}.db"
infile="${zonefile}.in"
n=$((${n:-0} + 1))
setup() {
echo_i "setting up zone: $1"
debug="$1"
zone="$1"
zonefile="${zone}.db"
infile="${zonefile}.in"
n=$((${n:-0} + 1))
}
mkdir inactive
setup secure.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# NSEC3/NSEC test zone
#
setup secure.nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# NSEC3/NSEC3 test zone
#
setup nsec3.nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# Jitter/NSEC3 test zone
@ -61,10 +61,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}.
setup jitter.nsec3.example
cp $infile $zonefile
count=1
while [ $count -le 1000 ]
do
echo "label${count} IN TXT label${count}" >> $zonefile
count=$((count + 1))
while [ $count -le 1000 ]; do
echo "label${count} IN TXT label${count}" >>$zonefile
count=$((count + 1))
done
# Don't create keys just yet, because the scenario we want to test
# is an unsigned zone that has a NSEC3PARAM record added with
@ -75,98 +74,100 @@ done
#
setup optout.nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A nsec3 zone (non-optout).
#
setup nsec3.example
cat $infile dsset-*.${zone}. > $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
cat $infile dsset-*.${zone}. >$zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# An NSEC3 zone, with NSEC3 parameters set prior to signing
#
setup autonsec3.example
cat $infile > $zonefile
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
echo $ksk > ../autoksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../autozsk.key
$DSFROMKEY $ksk.key > dsset-${zone}.
cat $infile >$zonefile
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
echo $ksk >../autoksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
echo $zsk >../autozsk.key
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# OPTOUT/NSEC test zone
#
setup secure.optout.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# OPTOUT/NSEC3 test zone
#
setup nsec3.optout.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# OPTOUT/OPTOUT test zone
#
setup optout.optout.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A optout nsec3 zone.
#
setup optout.example
cat $infile dsset-*.${zone}. > $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
cat $infile dsset-*.${zone}. >$zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A RSASHA256 zone.
#
setup rsasha256.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA256 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A RSASHA512 zone.
#
setup rsasha512.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA512 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# NSEC-only zone. A zone using NSEC-only DNSSEC algorithms.
# None of these algorithms are supported for signing in FIPS mode
# as they are MD5 and SHA1 based.
#
if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
then
setup nsec-only.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
if (
cd ..
$SHELL ../testcrypto.sh -q RSASHA1
); then
setup nsec-only.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
else
echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
fi
#
@ -176,14 +177,13 @@ fi
setup oldsigs.example
cp $infile $zonefile
count=1
while [ $count -le 1000 ]
do
echo "label${count} IN TXT label${count}" >> $zonefile
count=$((count + 1))
while [ $count -le 1000 ]; do
echo "label${count} IN TXT label${count}" >>$zonefile
count=$((count + 1))
done
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -PS -x -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
$SIGNER -PS -x -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile >s.out || dumpit s.out
cp $zonefile.signed $zonefile.bak
mv $zonefile.signed $zonefile
@ -191,19 +191,19 @@ mv $zonefile.signed $zonefile
# NSEC3->NSEC transition test zone.
#
setup nsec3-to-nsec.example
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
#
# Introducing a pre-published key test.
#
setup prepub.example
infile="prepub.example.db.in"
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../prepub.key
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone 2>kg.out) || dumpit kg.out
echo $zsk >../prepub.key
$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
#
# Key TTL tests.
@ -211,36 +211,36 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
# no default key TTL; DNSKEY should get SOA TTL
setup ttl1.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
cp $infile $zonefile
# default key TTL should be used
setup ttl2.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
cp $infile $zonefile
# mismatched key TTLs, should use shortest
setup ttl3.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
cp $infile $zonefile
# existing DNSKEY RRset, should retain TTL
setup ttl4.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
cat ${infile} K${zone}.+*.key > $zonefile
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone >kg.out 2>&1 || dumpit kg.out
cat ${infile} K${zone}.+*.key >$zonefile
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone >kg.out 2>&1 || dumpit kg.out
#
# A zone with a DNSKEY RRset that is published before it's activated
#
setup delay.example
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
echo $ksk > ../delayksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../delayzsk.key
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
echo $ksk >../delayksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
echo $zsk >../delayzsk.key
cp delay.example.db.in delay.example.db
#
@ -248,10 +248,10 @@ cp delay.example.db.in delay.example.db
# is missing.
#
setup noksk.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $ksk > ../noksk-ksk.key
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
echo $ksk >../noksk-ksk.key
rm -f ${ksk}.private
#
@ -259,11 +259,11 @@ rm -f ${ksk}.private
# is missing.
#
setup nozsk.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $ksk > ../nozsk-ksk.key
echo $zsk > ../nozsk-zsk.key
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
echo $ksk >../nozsk-ksk.key
echo $zsk >../nozsk-zsk.key
rm -f ${zsk}.private
#
@ -271,48 +271,48 @@ rm -f ${zsk}.private
# is inactive.
#
setup inaczsk.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $ksk > ../inaczsk-ksk.key
echo $zsk > ../inaczsk-zsk.key
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
echo $ksk >../inaczsk-ksk.key
echo $zsk >../inaczsk-zsk.key
$SETTIME -I now $zsk >st.out 2>&1 || dumpit st.out
#
# A zone that is set to 'dnssec-policy' during a reconfig
#
setup reconf.example
cp secure.example.db.in $zonefile
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
#
# A zone which generates CDS and CDNSEY RRsets automatically (with an additional CSK)
#
setup sync.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
echo ns3/$ksk > ../sync.key
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
echo ns3/$ksk >../sync.key
#
# A zone that generates CDS and CDNSKEY automatically
#
setup kskonly.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A zone that has a published inactive key that is autosigned.
#
setup inaczsk2.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A zone that starts with an active KSK + ZSK and an inactive ZSK, with the
@ -320,19 +320,19 @@ $DSFROMKEY $ksk.key > dsset-${zone}.
#
setup delzsk.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out
cat $zsk.key >> $zonefile
cat $zsk.key >>$zonefile
mv $zsk.key inactive/
mv $zsk.private inactive/
echo $zsk > ../delzsk.key
echo $zsk >../delzsk.key
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
#
setup dname-at-apex-nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.

795
bin/tests/system/autosign/tests.sh
View File

File diff suppressed because it is too large Load Diff

145
bin/tests/system/builtin/tests.sh
View File

@ -126,41 +126,47 @@ n=$((n + 1))
ret=0
count=0
echo_i "Checking expected empty zones were configured ($n)"
for zone in ${emptyzones}
do
grep "automatic empty zone: $zone" ns1/named.run > /dev/null || {
echo_i "failed (empty zone $zone missing)"
ret=1
}
count=$((count + 1))
for zone in ${emptyzones}; do
grep "automatic empty zone: $zone" ns1/named.run >/dev/null || {
echo_i "failed (empty zone $zone missing)"
ret=1
}
count=$((count + 1))
done
lines=$(grep "automatic empty zone: " ns1/named.run | wc -l)
test $count -eq $lines -a $count -eq 99 || {
ret=1; echo_i "failed (count mismatch)";
ret=1
echo_i "failed (count mismatch)"
}
if [ $ret != 0 ] ; then status=$((status + ret)); fi
if [ $ret != 0 ]; then status=$((status + ret)); fi
n=$((n + 1))
echo_i "Checking that reconfiguring empty zones is silent ($n)"
$RNDCCMD 10.53.0.1 reconfig
ret=0
grep "automatic empty zone" ns1/named.run > /dev/null || ret=1
grep "received control channel command 'reconfig'" ns1/named.run > /dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1
grep "automatic empty zone" ns1/named.run >/dev/null || ret=1
grep "received control channel command 'reconfig'" ns1/named.run >/dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1
sleep 1
grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
echo_i "Checking that reloading empty zones is silent ($n)"
rndc_reload ns1 10.53.0.1
ret=0
grep "automatic empty zone" ns1/named.run > /dev/null || ret=1
grep "received control channel command 'reload'" ns1/named.run > /dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1
grep "automatic empty zone" ns1/named.run >/dev/null || ret=1
grep "received control channel command 'reload'" ns1/named.run >/dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1
sleep 1
grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
HOST_NAME=$($FEATURETEST --gethostname)
BIND_VERSION_STRING=$($NAMED -V | head -1)
@ -169,80 +175,113 @@ BIND_VERSION=$($NAMED -V | sed -ne 's/^BIND \([^ ]*\).*/\1/p')
n=$((n + 1))
ret=0
echo_i "Checking that default version works for rndc ($n)"
$RNDCCMD 10.53.0.1 status > rndc.status.ns1.$n 2>&1
grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$RNDCCMD 10.53.0.1 status >rndc.status.ns1.$n 2>&1
grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that custom version works for rndc ($n)"
$RNDCCMD 10.53.0.3 status > rndc.status.ns3.$n 2>&1
grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$RNDCCMD 10.53.0.3 status >rndc.status.ns3.$n 2>&1
grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that default version works for query ($n)"
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1
grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1
grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that custom version works for query ($n)"
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1
grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1
grep "^\"this is a test of version\"$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that default hostname works for query ($n)"
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1
grep "^\"$HOST_NAME\"$" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1
grep "^\"$HOST_NAME\"$" dig.out.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that custom hostname works for query ($n)"
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1
grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1
grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that default server-id is none for query ($n)"
$DIG $DIGOPTS id.server txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1
grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS id.server txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1
grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that server-id hostname works for query ($n)"
$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 > dig.out.ns2.$n || ret=1
grep "^\"$HOST_NAME\"$" dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 >dig.out.ns2.$n || ret=1
grep "^\"$HOST_NAME\"$" dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that server-id hostname works for EDNS name server ID request ($n)"
$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 > dig.out.ns2.$n || ret=1
grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 >dig.out.ns2.$n || ret=1
grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that custom server-id works for query ($n)"
$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1
grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1
grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that custom server-id works for EDNS name server ID request ($n)"
$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 > dig.out.ns3.$n || ret=1
grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 >dig.out.ns3.$n || ret=1
grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

104
bin/tests/system/cacheclean/tests.sh
View File

@ -23,12 +23,12 @@ DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm \
+nostat @10.53.0.2 -p ${PORT}"
# fill the cache with nodes from flushtest.example zone
load_cache () {
# empty all existing cache data
$RNDC $RNDCOPTS flush
load_cache() {
# empty all existing cache data
$RNDC $RNDCOPTS flush
# load the positive cache entries
$DIG $DIGOPTS -f - << EOF > /dev/null 2>&1
# load the positive cache entries
$DIG $DIGOPTS -f - <<EOF >/dev/null 2>&1
txt top1.flushtest.example
txt second1.top1.flushtest.example
txt third1.second1.top1.flushtest.example
@ -47,42 +47,42 @@ txt third2.second2.top3.flushtest.example
txt second3.top3.flushtest.example
EOF
# load the negative cache entries
# nxrrset:
$DIG $DIGOPTS a third1.second1.top1.flushtest.example > /dev/null
# nxdomain:
$DIG $DIGOPTS txt top4.flushtest.example > /dev/null
# empty nonterminal:
$DIG $DIGOPTS txt second2.top3.flushtest.example > /dev/null
# load the negative cache entries
# nxrrset:
$DIG $DIGOPTS a third1.second1.top1.flushtest.example >/dev/null
# nxdomain:
$DIG $DIGOPTS txt top4.flushtest.example >/dev/null
# empty nonterminal:
$DIG $DIGOPTS txt second2.top3.flushtest.example >/dev/null
# sleep 2 seconds ensure the TTLs will be lower on cached data
sleep 2
# sleep 2 seconds ensure the TTLs will be lower on cached data
sleep 2
}
dump_cache () {
rndc_dumpdb ns2 -cache _default
dump_cache() {
rndc_dumpdb ns2 -cache _default
}
clear_cache () {
$RNDC $RNDCOPTS flush
clear_cache() {
$RNDC $RNDCOPTS flush
}
in_cache () {
ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}')
[ -z "$ttl" ] && {
ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}')
[ "$ttl" -ge 3599 ] && return 1
return 0
}
[ "$ttl" -ge 3599 ] && return 1
return 0
in_cache() {
ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}')
[ -z "$ttl" ] && {
ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}')
[ "$ttl" -ge 3599 ] && return 1
return 0
}
[ "$ttl" -ge 3599 ] && return 1
return 0
}
# Extract records at and below name "$1" from the cache dump in file "$2".
filter_tree () {
tree="$1"
file="$2"
perl -n -e '
filter_tree() {
tree="$1"
file="$2"
perl -n -e '
next if /^;/;
if (/'"$tree"'/ || (/^\t/ && $print)) {
$print = 1;
@ -95,7 +95,7 @@ filter_tree () {
n=$((n + 1))
echo_i "check correctness of routine cache cleaning ($n)"
$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch > dig.out.ns2 || status=1
$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch >dig.out.ns2 || status=1
digcomp --lc dig.out.ns2 knowngood.dig.out || status=1
@ -103,7 +103,10 @@ n=$((n + 1))
echo_i "only one tcp socket was used ($n)"
tcpclients=$(awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l)
test $tcpclients -eq 1 || { status=1; echo_i "failed"; }
test $tcpclients -eq 1 || {
status=1
echo_i "failed"
}
n=$((n + 1))
echo_i "reset and check that records are correctly cached initially ($n)"
@ -111,7 +114,10 @@ ret=0
load_cache
dump_cache
nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l)
[ $nrecords -eq 18 ] || { ret=1; echo_i "found $nrecords records expected 18"; }
[ $nrecords -eq 18 ] || {
ret=1
echo_i "found $nrecords records expected 18"
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -205,7 +211,10 @@ echo_i "check the number of cached records remaining ($n)"
ret=0
dump_cache
nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l)
[ $nrecords -eq 17 ] || { ret=1; echo_i "found $nrecords records expected 17"; }
[ $nrecords -eq 17 ] || {
ret=1
echo_i "found $nrecords records expected 17"
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -223,7 +232,10 @@ echo_i "check the number of cached records remaining ($n)"
ret=0
dump_cache
nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l)
[ $nrecords -eq 1 ] || { ret=1; echo_i "found $nrecords records expected 1"; }
[ $nrecords -eq 1 ] || {
ret=1
echo_i "found $nrecords records expected 1"
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -234,32 +246,32 @@ load_cache
dump_cache
mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.a
sed -n '/plain success\/timeout/,/Unassociated entries/p' \
ns2/named_dump.db.test$n.a > sed.out.$n.a
grep 'plain success/timeout' sed.out.$n.a > /dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.a > /dev/null 2>&1 || ret=1
ns2/named_dump.db.test$n.a >sed.out.$n.a
grep 'plain success/timeout' sed.out.$n.a >/dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.a >/dev/null 2>&1 || ret=1
$RNDC $RNDCOPTS flushtree flushtest.example || ret=1
dump_cache
mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.b
sed -n '/plain success\/timeout/,/Unassociated entries/p' \
ns2/named_dump.db.test$n.b > sed.out.$n.b
grep 'plain success/timeout' sed.out.$n.b > /dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.b > /dev/null 2>&1 && ret=1
ns2/named_dump.db.test$n.b >sed.out.$n.b
grep 'plain success/timeout' sed.out.$n.b >/dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.b >/dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check expire option returned from primary zone ($n)"
ret=0
$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test > dig.out.expire || ret=1
grep EXPIRE: dig.out.expire > /dev/null || ret=1
$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test >dig.out.expire || ret=1
grep EXPIRE: dig.out.expire >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check expire option returned from secondary zone ($n)"
ret=0
$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test > dig.out.expire || ret=1
grep EXPIRE: dig.out.expire > /dev/null || ret=1
$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test >dig.out.expire || ret=1
grep EXPIRE: dig.out.expire >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))

58
bin/tests/system/case/tests.sh
View File

@ -18,9 +18,9 @@ set -e
DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
wait_for_serial() (
$DIG $DIGOPTS "@$1" "$2" SOA > "$4"
serial=$(awk '$4 == "SOA" { print $7 }' "$4")
[ "$3" -eq "${serial:--1}" ]
$DIG $DIGOPTS "@$1" "$2" SOA >"$4"
serial=$(awk '$4 == "SOA" { print $7 }' "$4")
[ "$3" -eq "${serial:--1}" ]
)
status=0
@ -29,25 +29,23 @@ n=0
n=$((n + 1))
echo_i "waiting for zone transfer to complete ($n)"
ret=0
for i in 1 2 3 4 5 6 7 8 9
do
$DIG $DIGOPTS soa example. @10.53.0.2 > dig.ns2.test$n || true
grep SOA dig.ns2.test$n > /dev/null && break
sleep 1
for i in 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS soa example. @10.53.0.2 >dig.ns2.test$n || true
grep SOA dig.ns2.test$n >/dev/null && break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9
do
$DIG $DIGOPTS soa dynamic. @10.53.0.2 > dig.ns2.test$n || true
grep SOA dig.ns2.test$n > /dev/null && break
sleep 1
for i in 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS soa dynamic. @10.53.0.2 >dig.ns2.test$n || true
grep SOA dig.ns2.test$n >/dev/null && break
sleep 1
done
n=$((n + 1))
echo_i "testing case preserving responses - no acl ($n)"
ret=0
$DIG $DIGOPTS mx example. @10.53.0.1 > dig.ns1.test$n || ret=1
grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS mx example. @10.53.0.1 >dig.ns1.test$n || ret=1
grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1
test $ret -eq 0 || echo_i "failed"
status=$((status + ret))
@ -56,14 +54,14 @@ echo_i "testing no-case-compress acl '{ 10.53.0.2; }' ($n)"
ret=0
# check that we preserve zone case for non-matching query (10.53.0.1)
$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 > dig.ns1.test$n || ret=1
grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 >dig.ns1.test$n || ret=1
grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1
# check that we don't preserve zone case for match (10.53.0.2)
$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 > dig.ns2.test$n || ret=1
grep "0.mail.example" dig.ns2.test$n > /dev/null || ret=1
grep "mail.example" dig.ns2.test$n > /dev/null || ret=1
$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 >dig.ns2.test$n || ret=1
grep "0.mail.example" dig.ns2.test$n >/dev/null || ret=1
grep "mail.example" dig.ns2.test$n >/dev/null || ret=1
test $ret -eq 0 || echo_i "failed"
status=$((status + ret))
@ -71,7 +69,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "testing load of dynamic zone with various \$ORIGIN values ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1
digcomp dig.ns1.test$n dynamic.good || ret=1
test $ret -eq 0 || echo_i "failed"
@ -80,7 +78,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "transfer of dynamic zone with various \$ORIGIN values ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1
digcomp dig.ns2.test$n dynamic.good || ret=1
test $ret -eq 0 || echo_i "failed"
@ -88,13 +86,13 @@ status=$((status + ret))
n=$((n + 1))
echo_i "change SOA owner case via update ($n)"
$NSUPDATE << EOF
$NSUPDATE <<EOF
server 10.53.0.1 ${PORT}
zone dynamic
update add dYNAMIc 0 SOA mname1. . 2000042408 20 20 1814400 3600
send
EOF
$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1
digcomp dig.ns1.test$n postupdate.good || ret=1
test $ret -eq 0 || echo_i "failed"
@ -111,7 +109,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "check SOA owner case is transferred to secondary ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1
digcomp dig.ns2.test$n postupdate.good || ret=1
test $ret -eq 0 || echo_i "failed"
@ -120,13 +118,13 @@ status=$((status + ret))
#update delete Ns1.DyNaMIC. 300 IN A 10.53.0.1
n=$((n + 1))
echo_i "change A record owner case via update ($n)"
$NSUPDATE << EOF
$NSUPDATE <<EOF
server 10.53.0.1 ${PORT}
zone dynamic
update add Ns1.DyNaMIC. 300 IN A 10.53.0.1
send
EOF
$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1
digcomp dig.ns1.test$n postns1.good || ret=1
test $ret -eq 0 || echo_i "failed"
@ -143,7 +141,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "check A owner case is transferred to secondary ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1
digcomp dig.ns2.test$n postns1.good || ret=1
status=$((status + ret))

1831
bin/tests/system/catz/tests.sh
View File

File diff suppressed because it is too large Load Diff

48
bin/tests/system/cds/setup.sh
View File

@ -39,22 +39,22 @@ id2=$id2
EOF
tac() {
$PERL -e 'print reverse <>'
$PERL -e 'print reverse <>'
}
convert() {
key=$1
n=$2
$DSFROMKEY -12 $key >DS.$n
grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1
grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2
sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
sed 's/ IN DS / IN CDS /' <DS.$n-1 >>CDS.$n-1
sed 's/ IN DS / IN CDS /' <DS.$n-2 >>CDS.$n-2
sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
tac <DS.$n >DS.rev$n
key=$1
n=$2
$DSFROMKEY -12 $key >DS.$n
grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1
grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2
sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
sed 's/ IN DS / IN CDS /' <DS.$n-1 >>CDS.$n-1
sed 's/ IN DS / IN CDS /' <DS.$n-2 >>CDS.$n-2
sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
tac <DS.$n >DS.rev$n
}
convert $key1 1
convert $key2 2
@ -86,9 +86,9 @@ cat UP.add2 UP.del1 | sed 3d >UP.swap
sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl
sign() {
cat >db.$1
$SIGNER >/dev/null \
-S -O full -o $Z -f sig.$1 db.$1
cat >db.$1
$SIGNER >/dev/null \
-S -O full -o $Z -f sig.$1 db.$1
}
sign null <<EOF
@ -121,18 +121,18 @@ cat db.null CDS.2-1 | sign cds.2.sha1
cat db.null CDS.2-1 CDNSKEY.2 | sign cds.cdnskey.2.sha1
$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \
<sig.cds.1 >brk.rrsig.cds.zsk
<sig.cds.1 >brk.rrsig.cds.zsk
$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \
<sig.cds.1 >brk.rrsig.cds.ksk
<sig.cds.1 >brk.rrsig.cds.ksk
$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 |
sign cds-mangled
$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 \
| sign cds-mangled
bad=$($PERL -le "print ($id1 ^ 255);")
sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 |
sign bad-digests
sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 \
| sign bad-digests
sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 |
sign bad-algos
sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 \
| sign bad-algos
rm -f dsset-*

66
bin/tests/system/cds/tests.sh
View File

@ -18,49 +18,53 @@ set -e
status=0
n=0
fail() {
echo_i "failed"
status=$((status + 1))
echo_i "failed"
status=$((status + 1))
}
runcmd() {
("$@" 1> out.$n 2> err.$n; echo $?) || true
(
"$@" 1>out.$n 2>err.$n
echo $?
) || true
}
testcase() {
n=$((n + 1))
echo_i "$name ($n)"
expect=$1
shift
result=$(runcmd "$@")
check_stdout
check_stderr
if [ "$expect" -ne "$result" ]; then
echo_d "exit status does not match $expect"
fail
fi
unset name err out
n=$((n + 1))
echo_i "$name ($n)"
expect=$1
shift
result=$(runcmd "$@")
check_stdout
check_stderr
if [ "$expect" -ne "$result" ]; then
echo_d "exit status does not match $expect"
fail
fi
unset name err out
}
check_stderr() {
if [ -n "${err:=}" ]; then
grep -E "$err" err.$n >/dev/null && return 0
echo_d "stderr did not match '$err'"
else
[ -s err.$n ] || return 0
fi
cat err.$n | cat_d
fail
if [ -n "${err:=}" ]; then
grep -E "$err" err.$n >/dev/null && return 0
echo_d "stderr did not match '$err'"
else
[ -s err.$n ] || return 0
fi
cat err.$n | cat_d
fail
}
check_stdout() {
diff out.$n "${out:-empty}" >/dev/null && return
echo_d "stdout did not match '$out'"
( echo "wanted"
cat "$out"
echo "got"
cat out.$n
) | cat_d
fail
diff out.$n "${out:-empty}" >/dev/null && return
echo_d "stdout did not match '$out'"
(
echo "wanted"
cat "$out"
echo "got"
cat out.$n
) | cat_d
fail
}
Z=cds.test

10
bin/tests/system/chain/ns2/sign.sh
View File

@ -19,7 +19,7 @@ signedfile=example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-secure.example.
zonefile=wildcard-secure.db
@ -27,7 +27,7 @@ signedfile=wildcard-secure.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-nsec.example.
zonefile=wildcard.db
@ -35,7 +35,7 @@ signedfile=wildcard-nsec.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-nsec3.example.
zonefile=wildcard.db
@ -43,7 +43,7 @@ signedfile=wildcard-nsec3.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-nsec3-optout.example.
zonefile=wildcard.db
@ -51,4 +51,4 @@ signedfile=wildcard-nsec3-optout.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile >/dev/null

21
bin/tests/system/chain/prereq.sh
View File

@ -13,22 +13,19 @@
. ../conf.sh
if ! ${PYTHON} -c 'import dns'
then
echo_i "python dns module is required"
exit 1
if ! ${PYTHON} -c 'import dns'; then
echo_i "python dns module is required"
exit 1
fi
if ! ${PERL} -MNet::DNS -e ''
then
echo_i "perl Net::DNS module is required"
exit 1
if ! ${PERL} -MNet::DNS -e ''; then
echo_i "perl Net::DNS module is required"
exit 1
fi
if ! ${PERL} -MNet::DNS::Nameserver -e ''
then
echo_i "perl Net::DNS::Nameserver module is required"
exit 1
if ! ${PERL} -MNet::DNS::Nameserver -e ''; then
echo_i "perl Net::DNS::Nameserver module is required"
exit 1
fi
exit 0

256
bin/tests/system/chain/tests.sh
View File

@ -19,7 +19,7 @@ DIGOPTS="-p ${PORT}"
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
sendcmd() {
send 10.53.0.4 "${EXTRAPORT1}"
send 10.53.0.4 "${EXTRAPORT1}"
}
status=0
@ -28,8 +28,8 @@ n=0
n=$((n + 1))
echo_i "checking short DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a > dig.out.ns2.short || ret=1
grep "status: NOERROR" dig.out.ns2.short > /dev/null || ret=1
$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a >dig.out.ns2.short || ret=1
grep "status: NOERROR" dig.out.ns2.short >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -37,16 +37,16 @@ n=$((n + 1))
echo_i "checking short DNAME from recursive ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a > dig.out.ns4.short || ret=1
grep "status: NOERROR" dig.out.ns4.short > /dev/null || ret=1
$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a >dig.out.ns4.short || ret=1
grep "status: NOERROR" dig.out.ns4.short >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking long DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a > dig.out.ns2.long || ret=1
grep "status: NOERROR" dig.out.ns2.long > /dev/null || ret=1
$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a >dig.out.ns2.long || ret=1
grep "status: NOERROR" dig.out.ns2.long >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -54,16 +54,16 @@ n=$((n + 1))
echo_i "checking long DNAME from recursive ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a > dig.out.ns4.long || ret=1
grep "status: NOERROR" dig.out.ns4.long > /dev/null || ret=1
$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a >dig.out.ns4.long || ret=1
grep "status: NOERROR" dig.out.ns4.long >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking (too) long DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a > dig.out.ns2.toolong || ret=1
grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a >dig.out.ns2.toolong || ret=1
grep "status: YXDOMAIN" dig.out.ns2.toolong >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -71,9 +71,9 @@ n=$((n + 1))
echo_i "checking (too) long DNAME from recursive with cached DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a > dig.out.ns4.cachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1
grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a >dig.out.ns4.cachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong >/dev/null || ret=1
grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -81,50 +81,50 @@ n=$((n + 1))
echo_i "checking (too) long DNAME from recursive without cached DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a > dig.out.ns4.uncachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1
grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a >dig.out.ns4.uncachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong >/dev/null || ret=1
grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
find_records() {
owner_name="$1"
rr_type="$2"
file="$3"
awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' < "$file"
owner_name="$1"
rr_type="$2"
file="$3"
awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' <"$file"
}
count_records() {
owner_name="$1"
rr_type="$2"
file="$3"
find_records "$owner_name" "$rr_type" "$file" | wc -l
owner_name="$1"
rr_type="$2"
file="$3"
find_records "$owner_name" "$rr_type" "$file" | wc -l
}
exactly_one_record_exists_for() {
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1
}
no_records_exist_for() {
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0
}
ensure_no_ds_in_bitmap() {
owner_name="$1"
rr_type="$2"
file="$3"
case "$rr_type" in
NSEC) start_index=6 ;;
NSEC3) start_index=10 ;;
*) exit 1 ;;
esac
find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }'
owner_name="$1"
rr_type="$2"
file="$3"
case "$rr_type" in
NSEC) start_index=6 ;;
NSEC3) start_index=10 ;;
*) exit 1 ;;
esac
find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }'
}
n=$((n + 1))
@ -132,7 +132,7 @@ echo_i "checking secure delegation prepared using CNAME chaining ($n)"
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# DS RRset.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains the expected NS and DS RRsets.
exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1
exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1
@ -144,7 +144,7 @@ echo_i "checking secure delegation prepared using wildcard expansion + CNAME cha
ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset, an
# NSEC record proving nonexistence of QNAME, and a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains the expected NS and DS RRsets.
exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1
exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1
@ -161,7 +161,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC ($n)"
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# single NSEC record proving nonexistence of a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
@ -183,7 +183,7 @@ ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, these two NSEC records are different.
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
@ -206,7 +206,7 @@ ret=0
# NSEC records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, the same NSEC record proves nonexistence of both the
# QNAME and the DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
@ -247,7 +247,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 ($n)"
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# single NSEC3 record proving nonexistence of a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
@ -269,7 +269,7 @@ ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, these two NSEC3 records are different.
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
@ -292,7 +292,7 @@ ret=0
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, the same NSEC3 record proves nonexistence of both the
# QNAME and the DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
@ -336,7 +336,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 with o
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# single NSEC3 record proving nonexistence of a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
@ -357,7 +357,7 @@ ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, these two NSEC3 records are different.
$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
@ -379,7 +379,7 @@ ret=0
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, the same NSEC3 record proves nonexistence of both the
# QNAME and the DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
@ -397,8 +397,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking CNAME to DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS cname.example @10.53.0.2 a > dig.out.ns2.cname
grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
$DIG $DIGOPTS cname.example @10.53.0.2 a >dig.out.ns2.cname
grep "status: NOERROR" dig.out.ns2.cname >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -406,12 +406,12 @@ n=$((n + 1))
echo_i "checking CNAME to DNAME from recursive"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS cname.example @10.53.0.7 a > dig.out.ns4.cname
grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
$DIG $DIGOPTS cname.example @10.53.0.7 a >dig.out.ns4.cname
grep "status: NOERROR" dig.out.ns4.cname >/dev/null || ret=1
grep '^cname.example.' dig.out.ns4.cname >/dev/null || ret=1
grep '^cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1
grep '^a.cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1
grep '^a.target.example.' dig.out.ns4.cname >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -419,10 +419,10 @@ n=$((n + 1))
echo_i "checking DNAME is returned with synthesized CNAME before DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A > dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A >dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1
grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -430,11 +430,11 @@ n=$((n + 1))
echo_i "checking DNAME is returned with CNAME to synthesized CNAME before DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A > dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1
grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A >dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n >/dev/null || ret=1
grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1
grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -442,9 +442,9 @@ n=$((n + 1))
echo_i "checking CNAME loops are detected ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 17" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 loop.example >dig.out.test$n
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
grep "ANSWER: 17" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -452,9 +452,9 @@ n=$((n + 1))
echo_i "checking CNAME to external delegated zones is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 a.example > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 a.example >dig.out.test$n
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -462,9 +462,9 @@ n=$((n + 1))
echo_i "checking CNAME to internal delegated zones is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 b.example > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 b.example >dig.out.test$n
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -472,8 +472,8 @@ n=$((n + 1))
echo_i "checking CNAME to signed external delegation is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 c.example > dig.out.$n
grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 c.example >dig.out.$n
grep "status: NOERROR" dig.out.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -481,8 +481,8 @@ n=$((n + 1))
echo_i "checking CNAME to signed internal delegation is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 d.example > dig.out.$n
grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 d.example >dig.out.$n
grep "status: NOERROR" dig.out.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -491,39 +491,39 @@ echo_i "checking CNAME chains in various orders ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|1,1,2,2,3,4,s4,s3,s1" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|2,1,3,4,s3,s1,s2,s4" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.3.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.3.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 4 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.4.$n 2>&1
grep 'status: NOERROR' dig.out.4.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.4.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.4.$n 2>&1
grep 'status: NOERROR' dig.out.4.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.4.$n >/dev/null 2>&1 || ret=1
echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | sendcmd
$RNDCCMD 10.53.0.7 null --- start test$n - step 5 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.5.$n 2>&1
grep 'status: NOERROR' dig.out.5.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.5.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.5.$n 2>&1
grep 'status: NOERROR' dig.out.5.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.5.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 6 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|4,3,3,3,s1,s1,1,3,4" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.6.$n 2>&1
grep 'status: NOERROR' dig.out.6.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.6.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.6.$n 2>&1
grep 'status: NOERROR' dig.out.6.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.6.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -533,9 +533,9 @@ ret=0
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | sendcmd
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
sleep 1
$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil > dig.out.2.$n 2>&1
$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil >dig.out.2.$n 2>&1
ttl=$(awk '{print $2}' dig.out.2.$n)
[ "$ttl" -eq 86400 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -547,21 +547,21 @@ ret=0
$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.1.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.1.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.2.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "dname,dname|2,3,s1,s2,s3,s4,1" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.3.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.3.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -571,20 +571,20 @@ echo_i "checking external CNAME/DNAME chains in various orders ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
echo "xname,dname|1,2,3,4,s1,s2,s3,s4" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "xname,dname|s2,2,s1,1,4,s4,3" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "xname,dname|s2,2,2,2" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
grep 'status: SERVFAIL' dig.out.3.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1
grep 'status: SERVFAIL' dig.out.3.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -593,8 +593,8 @@ n=$((n + 1))
echo_i "checking explicit DNAME query ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 dname short-dname.example >dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -603,8 +603,8 @@ echo_i "checking DNAME via ANY query ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 any short-dname.example >dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -612,8 +612,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking DNAME resolution via itself (authoritative) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -621,8 +621,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking DNAME resolution via itself (recursive) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. >dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))

619
bin/tests/system/checkconf/tests.sh
View File

@ -23,17 +23,17 @@ mkdir -p keys
n=$((n + 1))
echo_i "checking that named-checkconf handles a known good config ($n)"
ret=0
$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1
$CHECKCONF good.conf >checkconf.out$n 2>&1 || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf prints a known good config ($n)"
ret=0
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.raw
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf >good.conf.raw
[ -s good.conf.raw ] || ret=1
$CHECKCONF -p good.conf.raw > checkconf.out$n || ret=1
grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
$CHECKCONF -p good.conf.raw >checkconf.out$n || ret=1
grep -v '^good.conf.raw:' <checkconf.out$n >good.conf.out 2>&1 || ret=1
cmp good.conf.raw good.conf.out || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -42,102 +42,119 @@ n=$((n + 1))
echo_i "checking that named-checkconf -x removes secrets ($n)"
ret=0
# ensure there is a secret and that it is not the check string.
grep 'secret "' good.conf.raw > /dev/null || ret=1
grep 'secret "????????????????"' good.conf.raw > /dev/null 2>&1 && ret=1
$CHECKCONF -p -x good.conf.raw > checkconf.out$n || ret=1
grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
grep 'secret "' good.conf.raw >/dev/null || ret=1
grep 'secret "????????????????"' good.conf.raw >/dev/null 2>&1 && ret=1
$CHECKCONF -p -x good.conf.raw >checkconf.out$n || ret=1
grep -v '^good.conf.raw:' <checkconf.out$n >good.conf.out 2>&1 || ret=1
grep 'secret "????????????????"' good.conf.out >/dev/null 2>&1 || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
for bad in bad-*.conf
do
n=$((n + 1))
echo_i "checking that named-checkconf detects error in $bad ($n)"
ret=0
{ $CHECKCONF $bad > checkconf.out$n 2>&1; rc=$?; } || true
if [ $rc -ne 1 ]; then ret=1; fi
grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1
case $bad in
for bad in bad-*.conf; do
n=$((n + 1))
echo_i "checking that named-checkconf detects error in $bad ($n)"
ret=0
{
$CHECKCONF $bad >checkconf.out$n 2>&1
rc=$?
} || true
if [ $rc -ne 1 ]; then ret=1; fi
grep "^$bad:[0-9]*: " <checkconf.out$n >/dev/null || ret=1
case $bad in
bad-update-policy[123].conf)
pat="identity and name fields are not the same"
grep "$pat" < checkconf.out$n > /dev/null || ret=1
;;
bad-update-policy[4589].conf|bad-update-policy1[01].conf)
pat="name field not set to placeholder value"
grep "$pat" < checkconf.out$n > /dev/null || ret=1
;;
bad-update-policy[67].conf|bad-update-policy1[2345789].conf|bad-update-policy20.conf)
pat="missing name field type '.*' found"
grep "$pat" < checkconf.out$n > /dev/null || ret=1
;;
pat="identity and name fields are not the same"
grep "$pat" <checkconf.out$n >/dev/null || ret=1
;;
bad-update-policy[4589].conf | bad-update-policy1[01].conf)
pat="name field not set to placeholder value"
grep "$pat" <checkconf.out$n >/dev/null || ret=1
;;
bad-update-policy[67].conf | bad-update-policy1[2345789].conf | bad-update-policy20.conf)
pat="missing name field type '.*' found"
grep "$pat" <checkconf.out$n >/dev/null || ret=1
;;
esac
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
for good in good-*.conf; do
n=$((n + 1))
echo_i "checking that named-checkconf detects no error in $good ($n)"
ret=0
if ! $FEATURETEST --with-libnghttp2; then
case $good in
good-doh-*.conf) continue ;;
good-dot-*.conf) continue ;;
esac
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
{
$CHECKCONF $good >checkconf.out$n 2>&1
rc=$?
} || true
if [ $rc -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
done
for good in good-*.conf
do
n=$((n + 1))
echo_i "checking that named-checkconf detects no error in $good ($n)"
ret=0
if ! $FEATURETEST --with-libnghttp2
then
case $good in
good-doh-*.conf) continue;;
good-dot-*.conf) continue;;
esac
fi
{ $CHECKCONF $good > checkconf.out$n 2>&1; rc=$?; } || true
if [ $rc -ne 0 ]; then echo_i "failed"; ret=1; fi
status=$((status + ret))
done
for lmdb in lmdb-*.conf; do
n=$((n + 1))
ret=0
for lmdb in lmdb-*.conf
do
n=$((n + 1))
ret=0
if $FEATURETEST --with-lmdb; then
echo_i "checking that named-checkconf detects no error in $lmdb ($n)"
{ $CHECKCONF $lmdb > checkconf.out$n 2>&1; rc=$?; } || true
if [ $rc -ne 0 ]; then echo_i "failed"; ret=1; fi
else
echo_i "checking that named-checkconf detects error in $lmdb ($n)"
{ $CHECKCONF $lmdb > checkconf.out$n 2>&1; rc=$?; } || true
if [ $rc -eq 0 ]; then echo_i "failed"; ret=1; fi
fi
status=$((status + ret))
if $FEATURETEST --with-lmdb; then
echo_i "checking that named-checkconf detects no error in $lmdb ($n)"
{
$CHECKCONF $lmdb >checkconf.out$n 2>&1
rc=$?
} || true
if [ $rc -ne 0 ]; then
echo_i "failed"
ret=1
fi
else
echo_i "checking that named-checkconf detects error in $lmdb ($n)"
{
$CHECKCONF $lmdb >checkconf.out$n 2>&1
rc=$?
} || true
if [ $rc -eq 0 ]; then
echo_i "failed"
ret=1
fi
fi
status=$((status + ret))
done
n=$((n + 1))
echo_i "checking that ancient options report a fatal error ($n)"
ret=0
$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1
grep "no longer exists" ancient.out > /dev/null || ret=1
$CHECKCONF ancient.conf >ancient.out 2>&1 && ret=1
grep "no longer exists" ancient.out >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf -z catches missing hint file ($n)"
ret=0
$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1
grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1
$CHECKCONF -z hint-nofile.conf >hint-nofile.out 2>&1 && ret=1
grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf catches range errors ($n)"
ret=0
$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1
$CHECKCONF range.conf >checkconf.out$n 2>&1 && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf warns of notify inconsistencies ($n)"
ret=0
$CHECKCONF notify.conf > checkconf.out$n 2>&1
warnings=$(grep "'notify' is disabled" < checkconf.out$n | wc -l)
$CHECKCONF notify.conf >checkconf.out$n 2>&1
warnings=$(grep "'notify' is disabled" <checkconf.out$n | wc -l)
[ $warnings -eq 3 ] || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -145,36 +162,36 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0
$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'max-zone-ttl' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'use-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
$CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1
grep "option 'managed-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'trusted-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'use-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'use-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'avoid-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'avoid-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'dialup' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'heartbeat-interval' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'dnssec-must-be-secure' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "token 'port' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# set -i to ignore deprecate warnings
$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1
grep '.*' < checkconf.out$n.2 > /dev/null && ret=1
$CHECKCONF -i deprecated.conf >checkconf.out$n.2 2>&1
grep '.*' <checkconf.out$n.2 >/dev/null && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf servestale warnings ($n)"
ret=0
$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1
grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1
$CHECKCONF servestale.stale-refresh-time.0.conf >checkconf.out$n.1 2>&1
grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
ret=0
$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1
grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1
$CHECKCONF servestale.stale-refresh-time.29.conf >checkconf.out$n.1 2>&1
grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -182,38 +199,62 @@ n=$((n + 1))
echo_i "range checking fields that do not allow zero ($n)"
ret=0
for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do
cat > badzero.conf << EOF
cat >badzero.conf <<EOF
options {
$field 0;
};
EOF
{ $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1; rc=$?; } || true
[ $rc -eq 1 ] || { echo_i "options $field failed" ; ret=1; }
cat > badzero.conf << EOF
{
$CHECKCONF badzero.conf >checkconf.out$n.1 2>&1
rc=$?
} || true
[ $rc -eq 1 ] || {
echo_i "options $field failed"
ret=1
}
cat >badzero.conf <<EOF
view dummy {
$field 0;
};
EOF
{ $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1; rc=$?; } || true
[ $rc -eq 1 ] || { echo_i "view $field failed" ; ret=1; }
cat > badzero.conf << EOF
{
$CHECKCONF badzero.conf >checkconf.out$n.2 2>&1
rc=$?
} || true
[ $rc -eq 1 ] || {
echo_i "view $field failed"
ret=1
}
cat >badzero.conf <<EOF
options {
$field 0;
};
view dummy {
};
EOF
{ $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1; rc=$?; } || true
[ $rc -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; }
cat > badzero.conf << EOF
{
$CHECKCONF badzero.conf >checkconf.out$n.3 2>&1
rc=$?
} || true
[ $rc -eq 1 ] || {
echo_i "options + view $field failed"
ret=1
}
cat >badzero.conf <<EOF
zone dummy {
type secondary;
primaries { 0.0.0.0; };
$field 0;
};
EOF
{ $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1; rc=$?; } || true
[ $rc -eq 1 ] || { echo_i "zone $field failed" ; ret=1; }
{
$CHECKCONF badzero.conf >checkconf.out$n.4 2>&1
rc=$?
} || true
[ $rc -eq 1 ] || {
echo_i "zone $field failed"
ret=1
}
done
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -221,22 +262,22 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking options allowed in inline-signing secondaries ($n)"
ret=0
$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 && ret=1
l=$(grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l)
$CHECKCONF bad-dnssec.conf >checkconf.out$n.2 2>&1 && ret=1
l=$(grep "dnssec-loadkeys-interval.*requires inline" <checkconf.out$n.2 | wc -l)
[ $l -eq 1 ] || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check file + inline-signing for secondary zones ($n)"
$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1 && ret=1
l=$(grep "missing 'file' entry" < checkconf.out$n.1 | wc -l)
$CHECKCONF inline-no.conf >checkconf.out$n.1 2>&1 && ret=1
l=$(grep "missing 'file' entry" <checkconf.out$n.1 | wc -l)
[ $l -eq 0 ] || ret=1
$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1 || ret=1
l=$(grep "missing 'file' entry" < checkconf.out$n.2 | wc -l)
$CHECKCONF inline-good.conf >checkconf.out$n.2 2>&1 || ret=1
l=$(grep "missing 'file' entry" <checkconf.out$n.2 | wc -l)
[ $l -eq 0 ] || ret=1
$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1 && ret=1
l=$(grep "missing 'file' entry" < checkconf.out$n.3 | wc -l)
$CHECKCONF inline-bad.conf >checkconf.out$n.3 2>&1 && ret=1
l=$(grep "missing 'file' entry" <checkconf.out$n.3 | wc -l)
[ $l -eq 1 ] || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -244,8 +285,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf DLZ warnings ($n)"
ret=0
$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1 && ret=1
grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1
$CHECKCONF dlz-bad.conf >checkconf.out$n 2>&1 && ret=1
grep "'dlz' and 'database'" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -253,17 +294,17 @@ n=$((n + 1))
echo_i "checking for missing key directory warning ($n)"
ret=0
rm -rf test.keydir
$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1
l=$(grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l)
$CHECKCONF warn-keydir.conf >checkconf.out$n.1 2>&1
l=$(grep "'test.keydir' does not exist" <checkconf.out$n.1 | wc -l)
[ $l -eq 1 ] || ret=1
touch test.keydir
$CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1
l=$(grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l)
$CHECKCONF warn-keydir.conf >checkconf.out$n.2 2>&1
l=$(grep "'test.keydir' is not a directory" <checkconf.out$n.2 | wc -l)
[ $l -eq 1 ] || ret=1
rm -f test.keydir
mkdir test.keydir
$CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1
l=$(grep "key-directory" < checkconf.out$n.3 | wc -l)
$CHECKCONF warn-keydir.conf >checkconf.out$n.3 2>&1
l=$(grep "key-directory" <checkconf.out$n.3 | wc -l)
[ $l -eq 0 ] || ret=1
rm -rf test.keydir
if [ $ret -ne 0 ]; then echo_i "failed"; fi
@ -271,222 +312,300 @@ if [ $ret -ne 0 ]; then echo_i "failed"; fi
n=$((n + 1))
echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)"
ret=0
$CHECKCONF -z max-ttl.conf > check.out 2>&1 && ret=1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z max-ttl.conf >check.out 2>&1 && ret=1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)"
ret=0
$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z max-ttl-bad.conf >checkconf.out$n 2>&1 && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)"
ret=0
$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z altdb.conf >checkconf.out$n 2>&1 || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)"
ret=0
$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z altdlz.conf >checkconf.out$n 2>&1 || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf -z fails on view with ANY class ($n)"
ret=0
$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z view-class-any1.conf >checkconf.out$n 2>&1 && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)"
ret=0
$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z view-class-any2.conf >checkconf.out$n 2>&1 && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf -z passes on view with IN class ($n)"
ret=0
$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z view-class-in1.conf >checkconf.out$n 2>&1 || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)"
ret=0
$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z view-class-in2.conf >checkconf.out$n 2>&1 || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that check-names fails as configured ($n)"
ret=0
$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1
grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1
grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z check-names-fail.conf >checkconf.out$n 2>&1 && ret=1
grep "near '_underscore': bad name (check-names)" <checkconf.out$n >/dev/null || ret=1
grep "zone check-names/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that check-mx fails as configured ($n)"
ret=0
$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1
grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1
grep "near '10.0.0.1': MX is an address" <checkconf.out$n >/dev/null || ret=1
grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that check-dup-records fails as configured ($n)"
ret=0
$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1
grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1
grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z check-dup-records-fail.conf >checkconf.out$n 2>&1 && ret=1
grep "has semantically identical records" <checkconf.out$n >/dev/null || ret=1
grep "zone check-dup-records/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that check-mx fails as configured ($n)"
ret=0
$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1
grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1
grep "failed: MX is an address" <checkconf.out$n >/dev/null || ret=1
grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that check-mx-cname fails as configured ($n)"
ret=0
$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1
grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z check-mx-cname-fail.conf >checkconf.out$n 2>&1 && ret=1
grep "MX.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1
grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that check-srv-cname fails as configured ($n)"
ret=0
$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1
grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z check-srv-cname-fail.conf >checkconf.out$n 2>&1 && ret=1
grep "SRV.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1
grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that named-checkconf -p properly print a port range ($n)"
ret=0
$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1
grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -p portrange-good.conf >checkconf.out$n 2>&1 || ret=1
grep "range 8610 8614;" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that named-checkconf -z handles in-view ($n)"
ret=0
$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1
grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z in-view-good.conf >checkconf.out$n 2>&1 || ret=1
grep "zone shared.example/IN: loaded serial" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that named-checkconf -z returns error when a later view is okay ($n)"
ret=0
$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z check-missing-zone.conf >checkconf.out$n 2>&1 && ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)"
ret=0
$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1
grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -p max-cache-size-good.conf >checkconf.out$n 2>&1 || ret=1
grep "max-cache-size 60%;" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that named-checkconf -l prints out the zone list ($n)"
ret=0
$CHECKCONF -l good.conf |
grep -v "is deprecated" |
grep -v "is not implemented" |
grep -v "is not recommended" |
grep -v "no longer exists" |
grep -v "is obsolete" > checkconf.out$n || ret=1
diff good.zonelist checkconf.out$n > diff.out$n || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -l good.conf \
| grep -v "is deprecated" \
| grep -v "is not implemented" \
| grep -v "is not recommended" \
| grep -v "no longer exists" \
| grep -v "is obsolete" >checkconf.out$n || ret=1
diff good.zonelist checkconf.out$n >diff.out$n || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)"
ret=0
$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1
$CHECKCONF check-root-ksk-2010.conf >checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] || ret=1
grep "key without the updated" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
grep "key without the updated" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)"
ret=0
$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
$CHECKCONF check-root-ksk-both.conf >checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)"
ret=0
$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1
$CHECKCONF check-root-ksk-2017.conf >checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that a static root key generates a warning ($n)"
ret=0
$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1
grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF check-root-static-key.conf >checkconf.out$n 2>/dev/null || ret=1
grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that a static root DS trust anchor generates a warning ($n)"
ret=0
$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1
grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF check-root-static-ds.conf >checkconf.out$n 2>/dev/null || ret=1
grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that a trusted-keys entry for root generates a warning ($n)"
ret=0
$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1
grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1
grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
ret=0
$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1
grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf kasp errors ($n)"
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
$CHECKCONF kasp-and-other-dnssec-options.conf >checkconf.out$n 2>&1 && ret=1
grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -494,15 +613,15 @@ n=$((n + 1))
echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
ret=0
if ! ($SHELL ../testcrypto.sh -q RSASHA1); then
conf=kasp-bad-nsec3-iter-fips.conf
expect=2
conf=kasp-bad-nsec3-iter-fips.conf
expect=2
else
conf=kasp-bad-nsec3-iter.conf
expect=3
conf=kasp-bad-nsec3-iter.conf
expect=3
fi
$CHECKCONF $conf > checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1
lines=$(wc -l < "checkconf.out$n")
$CHECKCONF $conf >checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: nsec3 iterations value 151 out of range" <checkconf.out$n >/dev/null || ret=1
lines=$(wc -l <"checkconf.out$n")
if [ $lines -ne $expect ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -510,11 +629,11 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
ret=0
$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
$CHECKCONF kasp-bad-nsec3-alg.conf >checkconf.out$n 2>&1 && ret=1
if ! ($SHELL ../testcrypto.sh -q RSASHA1); then
grep "dnssec-policy: algorithm rsasha1 not supported" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: algorithm rsasha1 not supported" <checkconf.out$n >/dev/null || ret=1
else
grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" <checkconf.out$n >/dev/null || ret=1
fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -522,18 +641,18 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf kasp key errors ($n)"
ret=0
$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: key with algorithm rsasha256 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
$CHECKCONF kasp-bad-keylen.conf >checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: key with algorithm rsasha256 has invalid key length 511" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf kasp signatures refresh errors ($n)"
ret=0
$CHECKCONF kasp-bad-signatures-refresh.conf > checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" < checkconf.out$n > /dev/null || ret=1
lines=$(wc -l < "checkconf.out$n")
$CHECKCONF kasp-bad-signatures-refresh.conf >checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" <checkconf.out$n >/dev/null || ret=1
lines=$(wc -l <"checkconf.out$n")
if [ $lines -ne 2 ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -541,8 +660,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf kasp key lifetime errors ($n)"
ret=0
$CHECKCONF kasp-bad-lifetime.conf > checkconf.out$n 2>&1 && ret=1
lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" < checkconf.out$n | wc -l) || ret=1
$CHECKCONF kasp-bad-lifetime.conf >checkconf.out$n 2>&1 && ret=1
lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" <checkconf.out$n | wc -l) || ret=1
if [ $lines -ne 3 ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -550,21 +669,21 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf kasp predefined key length ($n)"
ret=0
$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
$CHECKCONF kasp-ignore-keylen.conf >checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf kasp warns about weird policies ($n)"
ret=0
$CHECKCONF kasp-warning.conf > checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: key lifetime is shorter than 30 days" < checkconf.out$n > /dev/null || ret=1
lines=$(wc -l < "checkconf.out$n")
$CHECKCONF kasp-warning.conf >checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: key lifetime is shorter than 30 days" <checkconf.out$n >/dev/null || ret=1
lines=$(wc -l <"checkconf.out$n")
if [ $lines -ne 5 ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -572,16 +691,16 @@ status=$((status + ret))
n=$((n + 1))
echo_i "check that a good 'kasp' configuration is accepted ($n)"
ret=0
$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1
$CHECKCONF good-kasp.conf >checkconf.out$n 2>/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf prints a known good kasp config ($n)"
ret=0
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf >good-kasp.conf.in
[ -s good-kasp.conf.in ] || ret=1
$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1
$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' >good-kasp.conf.out 2>&1 || ret=1
cmp good-kasp.conf.in good-kasp.conf.out || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -589,37 +708,49 @@ status=$((status + ret))
n=$((n + 1))
echo_i "check that max-ixfr-ratio 100% generates a warning ($n)"
ret=0
$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1
grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF warn-maxratio1.conf >checkconf.out$n 2>/dev/null || ret=1
grep "exceeds 100%" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that *-source options with specified port generate warnings ($n)"
ret=0
$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1
grep "not recommended" < checkconf.out$n > /dev/null || ret=1
$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1
grep "not recommended" < checkconf.out$n > /dev/null || ret=1
$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1
grep "not recommended" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF warn-transfer-source.conf >checkconf.out$n 2>/dev/null || ret=1
grep "not recommended" <checkconf.out$n >/dev/null || ret=1
$CHECKCONF warn-notify-source.conf >checkconf.out$n 2>/dev/null || ret=1
grep "not recommended" <checkconf.out$n >/dev/null || ret=1
$CHECKCONF warn-parental-source.conf >checkconf.out$n 2>/dev/null || ret=1
grep "not recommended" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that 'check-wildcard no;' succeeds as configured ($n)"
ret=0
$CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1
grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z check-wildcard-no.conf >checkconf.out$n 2>&1 || ret=1
grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null && ret=1
if [ $ret != 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that 'check-wildcard yes;' warns as configured ($n)"
ret=0
$CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1
grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
$CHECKCONF -z check-wildcard.conf >checkconf.out$n 2>&1 || ret=1
grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
echo_i "exit status: $status"

6
bin/tests/system/checkds/ns1/setup.sh
View File

@ -25,10 +25,10 @@ echo_i "ns1/setup.sh"
ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
# Configure the resolving server with a static key.
keyfile_to_static_ds "$ksk" > trusted.conf
keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns9/trusted.conf

23
bin/tests/system/checkds/ns2/setup.sh
View File

@ -17,18 +17,17 @@
echo_i "ns2/setup.sh"
for zn in \
ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \
ns5 ns5-6-7 ns5-7 ns6
do
zone="${zn}"
infile="${zn}.db.infile"
zonefile="${zn}.db"
ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \
ns5 ns5-6-7 ns5-7 ns6; do
zone="${zn}"
infile="${zn}.db.infile"
zonefile="${zn}.db"
# The signing key is copied from ns5.
CSK=$(cat "${zn}.keyname")
cat "${zn}.db.in" "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
# The signing key is copied from ns5.
CSK=$(cat "${zn}.keyname")
cat "${zn}.db.in" "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1
cp "dsset-${zn}." ../ns1/
cp "dsset-${zn}." ../ns1/
done

27
bin/tests/system/checkds/ns5/setup.sh
View File

@ -17,20 +17,19 @@
echo_i "ns5/setup.sh"
for zn in \
ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \
ns5 ns5-6-7 ns5-7 ns6
do
zone="${zn}"
infile="${zn}.db.infile"
zonefile="${zn}.db"
ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \
ns5 ns5-6-7 ns5-7 ns6; do
zone="${zn}"
infile="${zn}.db.infile"
zonefile="${zn}.db"
CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
cat "${zn}.db.in" "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone)
cat "${zn}.db.in" "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1
# Copy key to ns2, the other primary.
echo "${CSK}" > "../ns2/${zn}.keyname"
cp "${CSK}.key" ../ns2/
cp "${CSK}.private" ../ns2/
# Copy key to ns2, the other primary.
echo "${CSK}" >"../ns2/${zn}.keyname"
cp "${CSK}.key" ../ns2/
cp "${CSK}.private" ../ns2/
done

100
bin/tests/system/checkds/ns9/setup.sh
View File

@ -17,35 +17,35 @@
echo_i "ns9/setup.sh"
setup() {
zone="$1"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
echo "$zone" >> zones
zone="$1"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
echo "$zone" >>zones
}
sign_dspublish() {
cp template.db.in "$zonefile"
keytimes="-P $T -P sync $T -A $T"
CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
$SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1
cat "$zonefile" "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
cp "dsset-${zone}." ../ns2/
cp template.db.in "$zonefile"
keytimes="-P $T -P sync $T -A $T"
CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone)
$SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" >settime.out.$zone 2>&1
cat "$zonefile" "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
cp "dsset-${zone}." ../ns2/
}
sign_dsremoved() {
cp template.db.in "$zonefile"
keytimes="-P $Y -P sync $Y -A $Y"
CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
$SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1
cat "$zonefile" "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
cp "dsset-${zone}." ../ns2/
cp template.db.in "$zonefile"
keytimes="-P $Y -P sync $Y -A $Y"
CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone)
$SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" >settime.out.$zone 2>&1
cat "$zonefile" "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
cp "dsset-${zone}." ../ns2/
}
# Short environment variable names for key states and times.
@ -57,38 +57,34 @@ T="now-30d"
Y="now-1y"
# DS Publication.
for checkds in explicit yes no
do
for zn in \
good.${checkds}.dspublish.ns2 \
reference.${checkds}.dspublish.ns2 \
resolver.${checkds}.dspublish.ns2 \
not-yet.${checkds}.dspublish.ns5 \
bad.${checkds}.dspublish.ns6 \
good.${checkds}.dspublish.ns2-4 \
incomplete.${checkds}.dspublish.ns2-4-5 \
bad.${checkds}.dspublish.ns2-4-6
do
setup "${zn}"
sign_dspublish
done
for checkds in explicit yes no; do
for zn in \
good.${checkds}.dspublish.ns2 \
reference.${checkds}.dspublish.ns2 \
resolver.${checkds}.dspublish.ns2 \
not-yet.${checkds}.dspublish.ns5 \
bad.${checkds}.dspublish.ns6 \
good.${checkds}.dspublish.ns2-4 \
incomplete.${checkds}.dspublish.ns2-4-5 \
bad.${checkds}.dspublish.ns2-4-6; do
setup "${zn}"
sign_dspublish
done
done
# DS Withdrawal.
for checkds in explicit yes no
do
for zn in \
good.${checkds}.dsremoved.ns5 \
resolver.${checkds}.dsremoved.ns5 \
still-there.${checkds}.dsremoved.ns2 \
bad.${checkds}.dsremoved.ns6 \
good.${checkds}.dsremoved.ns5-7 \
incomplete.${checkds}.dsremoved.ns2-5-7 \
bad.${checkds}.dsremoved.ns5-6-7
do
setup "${zn}"
sign_dsremoved
done
for checkds in explicit yes no; do
for zn in \
good.${checkds}.dsremoved.ns5 \
resolver.${checkds}.dsremoved.ns5 \
still-there.${checkds}.dsremoved.ns2 \
bad.${checkds}.dsremoved.ns6 \
good.${checkds}.dsremoved.ns5-7 \
incomplete.${checkds}.dsremoved.ns2-5-7 \
bad.${checkds}.dsremoved.ns5-6-7; do
setup "${zn}"
sign_dsremoved
done
done
setup "no-ent.ns2"

16
bin/tests/system/checkds/setup.sh
View File

@ -31,18 +31,18 @@ copy_setports ns10/named.conf.in ns10/named.conf
# Setup zones
(
cd ns9
$SHELL setup.sh
cd ns9
$SHELL setup.sh
)
(
cd ns5
$SHELL setup.sh
cd ns5
$SHELL setup.sh
)
(
cd ns2
$SHELL setup.sh
cd ns2
$SHELL setup.sh
)
(
cd ns1
$SHELL setup.sh
cd ns1
$SHELL setup.sh
)

94
bin/tests/system/checknames/tests.sh
View File

@ -20,18 +20,18 @@ n=1
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}"
wait_for_record () {
$DIG $DIGOPTS "$1" "$2" "$3" > "$4" || return 1
grep NOERROR "$4" > /dev/null || return 1
return 0
wait_for_record() {
$DIG $DIGOPTS "$1" "$2" "$3" >"$4" || return 1
grep NOERROR "$4" >/dev/null || return 1
return 0
}
# Entry should exist.
echo_i "check for failure from on zone load for 'check-names fail;' ($n)"
ret=0
$DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1
grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
$DIG $DIGOPTS fail.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1
grep SERVFAIL dig.out.ns1.test$n >/dev/null || ret=1
grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -39,7 +39,7 @@ n=$((n + 1))
# Entry should exist.
echo_i "check for warnings from on zone load for 'check-names warn;' ($n)"
ret=0
grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -55,10 +55,10 @@ n=$((n + 1))
# Entry should exist
echo_i "check that 'check-names response warn;' works ($n)"
ret=0
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1
digcomp dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1
grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -66,11 +66,11 @@ n=$((n + 1))
# Entry should exist
echo_i "check that 'check-names response (owner) fails;' works ($n)"
ret=0
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1
grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
grep REFUSED dig.out.ns3.test$n >/dev/null || ret=1
grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -78,11 +78,11 @@ n=$((n + 1))
# Entry should exist
echo_i "check that 'check-names response (rdata) fails;' works ($n)"
ret=0
$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX > dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1
grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1
$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX >dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX >dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
grep SERVFAIL dig.out.ns3.test$n >/dev/null || ret=1
grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -90,31 +90,31 @@ n=$((n + 1))
echo_i "check that updates to 'check-names fail;' are rejected ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || not=0
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || not=0
check-names off
server 10.53.0.1 ${PORT}
update add xxx_xxx.fail.update. 600 A 10.10.10.1
send
END
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1
grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1
grep NXDOMAIN dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that updates to 'check-names warn;' succeed and are logged ($n)"
ret=0
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1|| ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.1 ${PORT}
update add xxx_xxx.warn.update. 600 A 10.10.10.1
send
END
$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1
grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -122,16 +122,16 @@ n=$((n + 1))
echo_i "check that updates to 'check-names ignore;' succeed and are not logged ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.1 ${PORT}
update add xxx_xxx.ignore.update. 600 A 10.10.10.1
send
END
grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0
grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run >/dev/null || not=0
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -139,16 +139,16 @@ n=$((n + 1))
echo_i "check that updates to 'check-names primary ignore;' succeed and are not logged ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.4 ${PORT}
update add xxx_xxx.primary-ignore.update. 600 A 10.10.10.1
send
END
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run > /dev/null || not=0
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run >/dev/null || not=0
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A > dig.out.ns4.test$n || ret=1
grep NOERROR dig.out.ns4.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A >dig.out.ns4.test$n || ret=1
grep NOERROR dig.out.ns4.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -156,26 +156,26 @@ n=$((n + 1))
echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.5 ${PORT}
update add xxx_xxx.master-ignore.update. 600 A 10.10.10.1
send
END
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run > /dev/null || not=0
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run >/dev/null || not=0
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A > dig.out.ns5.test$n || ret=1
grep NOERROR dig.out.ns5.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A >dig.out.ns5.test$n || ret=1
grep NOERROR dig.out.ns5.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
status=$((status + ret))
n=$((n + 1))
echo_i "check that updates to 'check-names secondary ignore;' succeed and are not logged ($n)"
ret=0
# takes a while for the transfer to succeed as ns5 (primary) is started after ns4 (secondary)
# and the zone is still loading when we get to this point.
retry_quiet 35 wait_for_record xxx_xxx.master-ignore.update @10.53.0.4 A dig.out.ns4.test$n || ret=1
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run > /dev/null && ret=1
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -183,10 +183,10 @@ n=$((n + 1))
echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)"
ret=0
retry_quiet 35 wait_for_record xxx_xxx.primary-ignore.update @10.53.0.5 A dig.out.ns5.test$n || ret=1
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run > /dev/null && ret=1
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
status=$((status + ret))
n=$((n + 1))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

2
bin/tests/system/checkzone/setup.sh
View File

@ -16,6 +16,6 @@
ln -s $CHECKZONE named-compilezone
./named-compilezone -D -F raw -o good1.db.raw example \
zones/good1.db > /dev/null 2>&1
zones/good1.db >/dev/null 2>&1
copy_setports zones/bad-tsig.db.in zones/bad-tsig.db

178
bin/tests/system/checkzone/tests.sh
View File

@ -18,121 +18,119 @@ set -e
status=0
n=1
for db in zones/good*.db
do
echo_i "checking $db ($n)"
ret=0
case $db in
zones/good-gc-msdcs.db|zones/good-spf-exception.db)
$CHECKZONE -k fail -i local example $db > test.out.$n 2>&1 || ret=1
;;
zones/good-dns-sd-reverse.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || ret=1
;;
*)
$CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1
;;
esac
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
for db in zones/good*.db; do
echo_i "checking $db ($n)"
ret=0
case $db in
zones/good-gc-msdcs.db | zones/good-spf-exception.db)
$CHECKZONE -k fail -i local example $db >test.out.$n 2>&1 || ret=1
;;
zones/good-dns-sd-reverse.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || ret=1
;;
*)
$CHECKZONE -i local example $db >test.out.$n 2>&1 || ret=1
;;
esac
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
for db in zones/bad*.db
do
echo_i "checking $db ($n)"
ret=0 v=0
case $db in
zones/bad-dns-sd-reverse.db|zones/bad-svcb-servername.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || v=$?
;;
*)
$CHECKZONE -i local example $db > test.out.$n 2>&1 || v=$?
;;
esac
test $v = 1 || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
for db in zones/bad*.db; do
echo_i "checking $db ($n)"
ret=0 v=0
case $db in
zones/bad-dns-sd-reverse.db | zones/bad-svcb-servername.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || v=$?
;;
*)
$CHECKZONE -i local example $db >test.out.$n 2>&1 || v=$?
;;
esac
test $v = 1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
echo_i "checking with journal file ($n)"
ret=0
$CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -o test.orig.db test zones/test1.db >/dev/null 2>&1 || ret=1
$CHECKZONE -D -o test.changed.db test zones/test2.db >/dev/null 2>&1 || ret=1
$MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1
jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l)
[ $jlines = 3 ] || ret=1
$CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -j -o test.out1.db test test.orig.db >/dev/null 2>&1 || ret=1
cmp -s test.changed.db test.out1.db || ret=1
mv -f test.orig.db.jnl test.journal
$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db >/dev/null 2>&1 || ret=1
cmp -s test.changed.db test.out2.db || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking with spf warnings ($n)"
ret=0
$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1
$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1
grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1
grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1
grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1
grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1
grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1
grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1
n=$((n+1))
$CHECKZONE example zones/spf.db >test.out1.$n 2>&1 || ret=1
$CHECKZONE -T ignore example zones/spf.db >test.out2.$n 2>&1 || ret=1
grep "'x.example' found type SPF" test.out1.$n >/dev/null && ret=1
grep "'y.example' found type SPF" test.out1.$n >/dev/null || ret=1
grep "'example' found type SPF" test.out1.$n >/dev/null && ret=1
grep "'x.example' found type SPF" test.out2.$n >/dev/null && ret=1
grep "'y.example' found type SPF" test.out2.$n >/dev/null && ret=1
grep "'example' found type SPF" test.out2.$n >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking with max ttl (text) ($n)"
ret=0
$CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1
$CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1
n=$((n+1))
$CHECKZONE -l 300 example zones/good1.db >test.out1.$n 2>&1 && ret=1
$CHECKZONE -l 600 example zones/good1.db >test.out2.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking with max ttl (raw) ($n)"
ret=0
$CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1
$CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1
n=$((n+1))
$CHECKZONE -f raw -l 300 example good1.db.raw >test.out1.$n 2>&1 && ret=1
$CHECKZONE -f raw -l 600 example good1.db.raw >test.out2.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no new \$ORIGIN ($n)"
ret=0
$CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n > /dev/null && ret=1
n=$((n+1))
$CHECKZONE example zones/nowarn.inherited.owner.db >test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)"
ret=0
$CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n > /dev/null || ret=1
n=$((n+1))
$CHECKZONE example zones/warn.inherit.origin.db >test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)"
ret=0
$CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n > /dev/null || ret=1
n=$((n+1))
$CHECKZONE example zones/warn.inherited.owner.db >test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that raw zone with bad class is handled ($n)"
ret=0
$CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1
$CHECKZONE -f raw example zones/bad-badclass.raw >test.out.$n 2>&1 && ret=1
grep "failed: bad class" test.out.$n >/dev/null || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that expirations that loop using serial arithmetic are handled ($n)"
ret=0
@ -159,56 +157,56 @@ test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)"
ret=0
$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1
$CHECKZONE example.com zones/ns-address-below-dname.db >test.out.$n 2>&1 && ret=1
grep "is below a DNAME" test.out.$n >/dev/null || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)"
ret=0
$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1
$CHECKZONE example.com zones/delegating-ns-address-below-dname.db >test.out.$n 2>&1 || ret=1
grep "is below a DNAME" test.out.$n >/dev/null || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that named-compilezone works when reading input from stdin ($n)"
ret=0
# Step 1: take raw input from stdin and convert it to text/relative format.
# Last argument "-" is optional, but it says more explicitly that we're reading from stdin.
cat zones/zone1.db | ./named-compilezone -f text -F text -s relative \
-o zones/zone1_stdin.txt zone1.com - > /dev/null || ret=1
status=$((status+ret))
-o zones/zone1_stdin.txt zone1.com - >/dev/null || ret=1
status=$((status + ret))
ret=0
# Step 2: take raw input from file and convert it to text format.
./named-compilezone -f text -F text -s relative -o zones/zone1_file.txt \
zone1.com zones/zone1.db > /dev/null || ret=1
status=$((status+ret))
zone1.com zones/zone1.db >/dev/null || ret=1
status=$((status + ret))
ret=0
# Step 3: Ensure that output conversion from stdin is the same as the output conversion from a file.
diff zones/zone1_file.txt zones/zone1_stdin.txt >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
ret=0
echo_i "checking integer overflow is prevented in \$GENERATE ($n)"
$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1
$CHECKZONE -D example.com zones/generate-overflow.db >test.out.$n 2>&1 || ret=1
lines=$(grep -c CNAME test.out.$n)
echo $lines
[ "$lines" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

64
bin/tests/system/ckdnsrps.sh
View File

@ -18,7 +18,6 @@ set -e
# Note that dnsrps.conf is included in named.conf
# and differs from dnsrpz.conf which is used by dnsrpzd.
. ../conf.sh
DNSRPS_CMD=../rpz/dnsrps
@ -28,54 +27,61 @@ TEST_DNSRPS=
MCONF=dnsrps.conf
USAGE="$0: [-xAD] [-M dnsrps.conf]"
while getopts "xADM:S:" c; do
case $c in
x) set -x; DEBUG=-x;;
A) AS_NS=yes;;
D) TEST_DNSRPS=yes;;
M) MCONF="$OPTARG";;
*) echo "$USAGE" 1>&2; exit 1;;
esac
case $c in
x)
set -x
DEBUG=-x
;;
A) AS_NS=yes ;;
D) TEST_DNSRPS=yes ;;
M) MCONF="$OPTARG" ;;
*)
echo "$USAGE" 1>&2
exit 1
;;
esac
done
shift $(expr $OPTIND - 1 || true)
if [ "$#" -ne 0 ]; then
echo "$USAGE" 1>&2
exit 1
echo "$USAGE" 1>&2
exit 1
fi
# erase any existing conf files
cat /dev/null > $MCONF
cat /dev/null >$MCONF
add_conf () {
echo "$*" >>$MCONF
add_conf() {
echo "$*" >>$MCONF
}
if ! $FEATURETEST --enable-dnsrps; then
if [ -n "$TEST_DNSRPS" ]; then
add_conf "## DNSRPS disabled at compile time"
fi
add_conf "#skip"
exit 0
if [ -n "$TEST_DNSRPS" ]; then
add_conf "## DNSRPS disabled at compile time"
fi
add_conf "#skip"
exit 0
fi
if [ -z "$TEST_DNSRPS" ]; then
add_conf "## testing with native RPZ"
add_conf '#skip'
exit 0
add_conf "## testing with native RPZ"
add_conf '#skip'
exit 0
else
add_conf "## testing with DNSRPS"
add_conf "## testing with DNSRPS"
fi
if [ ! -x "$DNSRPS_CMD" ]; then
add_conf "## make $DNSRPS_CMD to test DNSRPS"
add_conf '#skip'
exit 0
add_conf "## make $DNSRPS_CMD to test DNSRPS"
add_conf '#skip'
exit 0
fi
if $DNSRPS_CMD -a >/dev/null; then :
if $DNSRPS_CMD -a >/dev/null; then
:
else
add_conf "## DNSRPS provider library is not available"
add_conf '#skip'
exit 0
add_conf "## DNSRPS provider library is not available"
add_conf '#skip'
exit 0
fi
add_conf 'dnsrps-options { log-level 3 };'

16
bin/tests/system/cleanall.sh
View File

@ -17,19 +17,17 @@
. ./conf.sh
find . -type f \( \
-name '*~' -o -name 'core' -o -name '*.core' \
-o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \
-o -name named.run -o -name ans.run \
-o -name '*-valgrind-*.log' \) -print | xargs rm -f
-name '*~' -o -name 'core' -o -name '*.core' \
-o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \
-o -name named.run -o -name ans.run \
-o -name '*-valgrind-*.log' \) -print | xargs rm -f
status=0
rm -f ../random.data
for d in $SUBDIRS
do
test ! -f $d/clean.sh || ( cd $d && $SHELL clean.sh )
test -d $d && find $d -type d -exec rmdir '{}' \; 2> /dev/null
for d in $SUBDIRS; do
test ! -f $d/clean.sh || (cd $d && $SHELL clean.sh)
test -d $d && find $d -type d -exec rmdir '{}' \; 2>/dev/null
done

14
bin/tests/system/conf.sh.in
View File

@ -27,10 +27,10 @@ export ARPANAME=$TOP_BUILDDIR/bin/tools/arpaname
export CDS=$TOP_BUILDDIR/bin/dnssec/dnssec-cds
export CHECKCONF=$TOP_BUILDDIR/bin/check/named-checkconf
export CHECKZONE=$TOP_BUILDDIR/bin/check/named-checkzone
if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119
export DELV=$TOP_BUILDDIR/bin/delv/delv
if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119
export DELV=$TOP_BUILDDIR/bin/delv/delv
else
export DELV=:
export DELV=:
fi
export DIG=$TOP_BUILDDIR/bin/dig/dig
export DNSTAPREAD=$TOP_BUILDDIR/bin/tools/dnstap-read
@ -84,13 +84,13 @@ export PYTEST=@PYTEST@
#
export PERL=$(command -v "@PERL@" || true)
if ! test -x "$PERL"; then
echo "Perl interpreter is required for system tests."
exit 77
echo "Perl interpreter is required for system tests."
exit 77
fi
export PYTHON=$(command -v "@PYTHON@" || true)
if ! test -x "$PYTHON"; then
echo "Python interpreter is required for system tests."
exit 77
echo "Python interpreter is required for system tests."
exit 77
fi
# Load common values

7
bin/tests/system/cookie/prereq.sh
View File

@ -13,10 +13,9 @@
. ../conf.sh
if ! ${PYTHON} -c 'import dns'
then
echo_i "python dns module is required"
exit 1
if ! ${PYTHON} -c 'import dns'; then
echo_i "python dns module is required"
exit 1
fi
exit 0

409
bin/tests/system/cookie/tests.sh
View File

@ -22,65 +22,63 @@ status=0
n=0
getcookie() {
awk '$2 == "COOKIE:" {
awk '$2 == "COOKIE:" {
print $3;
}' < $1
}' <$1
}
fullcookie() {
awk 'BEGIN { n = 0 }
awk 'BEGIN { n = 0 }
// { v[n++] = length(); }
END { print (v[1] == v[2]); }'
}
havetc() {
grep 'flags:.* tc[^;]*;' $1 > /dev/null
grep 'flags:.* tc[^;]*;' $1 >/dev/null
}
for bad in bad*.conf
do
n=$((n + 1))
echo_i "checking that named-checkconf detects error in $bad ($n)"
ret=0
$CHECKCONF $bad > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
for bad in bad*.conf; do
n=$((n + 1))
echo_i "checking that named-checkconf detects error in $bad ($n)"
ret=0
$CHECKCONF $bad >/dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
for good in good*.conf
do
n=$((n + 1))
echo_i "checking that named-checkconf detects accepts $good ($n)"
ret=0
$CHECKCONF $good > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
for good in good*.conf; do
n=$((n + 1))
echo_i "checking that named-checkconf detects accepts $good ($n)"
ret=0
$CHECKCONF $good >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
n=$((n + 1))
echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)"
ret=0
$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n > /dev/null && ret=1
grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n >/dev/null && ret=1
grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)"
ret=0
$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking COOKIE token is returned to empty COOKIE option ($n)"
ret=0
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -88,16 +86,16 @@ n=$((n + 1))
echo_i "checking COOKIE is not returned when answer-cookie is false ($n)"
ret=0
oldcookie=b71d3138bb984fc50100000064a65cffbbf02482dfb99ba5
$DIG $DIGOPTS +cookie=$oldcookie version.bind txt ch @10.53.0.7 > dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$oldcookie version.bind txt ch @10.53.0.7 >dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n >/dev/null && ret=1
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking response size without COOKIE ($n)"
ret=0
$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1
$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
havetc dig.out.test$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -105,36 +103,36 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking response size without valid COOKIE ($n)"
ret=0
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
havetc dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking response size with COOKIE ($n)"
ret=0
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l || ret=1
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 >dig.out.test$n.l || ret=1
cookie=$(getcookie dig.out.test$n.l)
$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1
$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
havetc dig.out.test$n && ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking response size with COOKIE recursive ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n || ret=1
$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
havetc dig.out.test$n && ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking COOKIE is learnt for TCP retry ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n || ret=1
$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 >dig.out.test$n || ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 3 ]; then ret=1; fi
checkfull=$(getcookie dig.out.test$n | fullcookie)
@ -146,15 +144,15 @@ n=$((n + 1))
echo_i "checking for COOKIE value in adb ($n)"
ret=0
rndc_dumpdb ns1
grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking require-server-cookie default (no) ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n || ret=1
grep "status: BADCOOKIE" dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 >dig.out.test$n || ret=1
grep "status: BADCOOKIE" dig.out.test$n >/dev/null && ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -163,10 +161,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking require-server-cookie yes ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n || ret=1
grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
grep "status: BADCOOKIE" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
grep "flags: qr[^;]* aa[ ;]" dig.out.test$n >/dev/null && ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
grep "status: BADCOOKIE" dig.out.test$n >/dev/null || ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -175,7 +173,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking +qr +showbadcookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n || ret=1
$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l)
badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l)
server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l)
@ -192,7 +190,7 @@ n=$((n + 1))
echo_i "checking +showbadcookie ($n)"
ret=0
$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n || ret=1
$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l)
badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l)
server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l)
@ -209,9 +207,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking require-server-cookie yes with rate-limit ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n || ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
grep "status: BADCOOKIE" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 >dig.out.test$n || ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
grep "status: BADCOOKIE" dig.out.test$n >/dev/null || ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -220,9 +218,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking 'server <prefix> { require-cookie yes; };' triggers TCP when cookie not returned ($n)"
ret=0
nextpart ns8/named.run > /dev/null
$DIG $DIGOPTS +cookie soa from-no-cookie-server.example @10.53.0.8 > dig.out.test$n || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
nextpart ns8/named.run >/dev/null
$DIG $DIGOPTS +cookie soa from-no-cookie-server.example @10.53.0.8 >dig.out.test$n || ret=1
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
wait_for_log_peek 3 "missing required cookie from 10.53.0.7#" ns8/named.run || ret=1
wait_for_log_peek 3 "connected from" ns8/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -231,34 +229,34 @@ status=$((status + ret))
n=$((n + 1))
echo_i "send undersized cookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1
grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 >dig.out.test$n || ret=1
grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "send oversized for named cookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 >dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "send oversized for named cookie with server requiring a good cookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 >dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that BADCOOKIE is returned for a bad server COOKIE ($n)"
ret=0
badcookie=$(echo $cookie | sed 's/[a-f0-9]/0/g')
$DIG $DIGOPTS +qr +cookie=$badcookie +nobadcookie soa example @10.53.0.1 > dig.out.test$n || ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
grep "status: BADCOOKIE" dig.out.test$n > /dev/null || ret=1
linecount=`getcookie dig.out.test$n | wc -l`
$DIG $DIGOPTS +qr +cookie=$badcookie +nobadcookie soa example @10.53.0.1 >dig.out.test$n || ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
grep "status: BADCOOKIE" dig.out.test$n >/dev/null || ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -283,8 +281,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "get NS4 cookie for cross server checking ($n)"
ret=0
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
ns4cookie=$(getcookie dig.out.test$n)
test -n "$ns4cookie" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -293,8 +291,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "get NS5 cookie for cross server checking ($n)"
ret=0
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
ns5cookie=$(getcookie dig.out.test$n)
test -n "$ns5cookie" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -303,8 +301,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "get NS6 cookie for cross server checking ($n)"
ret=0
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
ns6cookie=$(getcookie dig.out.test$n)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -312,54 +310,54 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test NS4 cookie on NS5 (expect success) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "test NS5 cookie on NS4 (expect success) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "test NS6 cookie on NS5 (expect success) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -368,62 +366,62 @@ echo_i "check that test server is correctly configured ($n)"
ret=0
pat="; COOKIE: ................................ (good)"
#UDP
$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp tld >dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
grep "$pat" dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld >dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3 || ret=1
grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld >dig.out.test$n.3 || ret=1
grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4 || ret=1
grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld >dig.out.test$n.4 || ret=1
grep "status: NOERROR" dig.out.test$n.4 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.4 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.4 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.4 >/dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 >/dev/null || ret=1
#TCP
$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5 || ret=1
grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp tld >dig.out.test$n.5 || ret=1
grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1
grep "$pat" dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6
grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld >dig.out.test$n.6
grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1
grep "$pat" dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7
grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld >dig.out.test$n.7
grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8
grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1
grep "$pat" dig.out.test$n.8 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld >dig.out.test$n.8
grep "status: NOERROR" dig.out.test$n.8 >/dev/null || ret=1
grep "$pat" dig.out.test$n.8 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.8 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.8 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -434,17 +432,17 @@ ret=0
msg="missing expected cookie from"
pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# spoofed response contains 10.53.0.10
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2 || ret=1
$DIG $DIGOPTS @10.53.0.1 tcponly.tld >dig.out.test$n.2 || ret=1
wait_for_log 5 "$msg" ns1/named.run || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -454,17 +452,17 @@ ret=0
msg="missing expected cookie from"
pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# check the disabled server response
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2
$DIG $DIGOPTS @10.53.0.1 nocookie.tld >dig.out.test$n.2
wait_for_log 5 "$msg" ns1/named.run || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -473,17 +471,17 @@ echo_i "check that spoofed response with a TSIG is dropped when we have a server
ret=0
pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# spoofed response contains 10.53.0.10
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
nextpart ns1/named.run > named.run.test$n
$DIG $DIGOPTS @10.53.0.1 withtsig.tld >dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
nextpart ns1/named.run >named.run.test$n
count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
test $count -eq 1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -493,56 +491,55 @@ if $PYTHON -c '
import dns.version, sys;
if dns.version.MAJOR > 1: sys.exit(0);
if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0);
sys.exit(1)'
then
sys.exit(1)'; then
n=$((n + 1))
echo_i "check that TSIG test server is correctly configured ($n)"
ret=0
pat="; COOKIE: ................................ (good)"
key="${DEFAULT_HMAC}:foo:aaaaaaaaaaaa"
#UDP
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. >dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
grep "$pat" dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig >dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3 || ret=1
grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig >dig.out.test$n.3 || ret=1
grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
#TCP
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5 || ret=1
grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. >dig.out.test$n.5 || ret=1
grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1
grep "$pat" dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6 || ret=1
grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig >dig.out.test$n.6 || ret=1
grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1
grep "$pat" dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7 || ret=1
grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig >dig.out.test$n.7 || ret=1
grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -552,17 +549,17 @@ then
ret=0
pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tsig. >dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# check the disabled server response
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
nextpart ns1/named.run > named.run.test$n
$DIG $DIGOPTS @10.53.0.1 nocookie.tsig >dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
nextpart ns1/named.run >named.run.test$n
count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
test $count -eq 2 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi

95
bin/tests/system/custom-test-driver
View File

@ -2,7 +2,7 @@
# test-driver - basic testsuite driver script.
scriptversion=2021-09-20.08; # UTC
scriptversion=2021-09-20.08 # UTC
# Copyright (C) 2011-2020 Free Software Foundation, Inc.
#
@ -34,15 +34,13 @@ scriptversion=2021-09-20.08; # UTC
# helps a lot in preventing typo-related bugs.
set -u
usage_error ()
{
usage_error() {
echo "$0: $*" >&2
print_usage >&2
exit 2
}
print_usage ()
{
print_usage() {
cat <<END
Usage:
test-driver --test-name=NAME --log-file=PATH --trs-file=PATH
@ -53,36 +51,67 @@ The '--test-name', '--log-file' and '--trs-file' options are mandatory.
END
}
test_name= # Used for reporting.
log_file= # Where to save the output of the test script.
trs_file= # Where to save the metadata of the test run.
junit_file= # Where to save pytest junit output.
test_name= # Used for reporting.
log_file= # Where to save the output of the test script.
trs_file= # Where to save the metadata of the test run.
junit_file= # Where to save pytest junit output.
expect_failure=no
color_tests=no
enable_hard_errors=yes
verbose=no
while test $# -gt 0; do
case $1 in
--help) print_usage; exit $?;;
--version) echo "test-driver $scriptversion"; exit $?;;
--test-name) test_name=$2; shift;;
--log-file) log_file=$2; shift;;
--trs-file) trs_file=$2; junit_file=$(echo $trs_file | sed 's/\.trs$/\.xml/'); shift;;
--color-tests) color_tests=$2; shift;;
--expect-failure) expect_failure=$2; shift;;
--enable-hard-errors) enable_hard_errors=$2; shift;;
--verbose) verbose=$2; shift;;
--) shift; break;;
-*) usage_error "invalid option: '$1'";;
*) break;;
--help)
print_usage
exit $?
;;
--version)
echo "test-driver $scriptversion"
exit $?
;;
--test-name)
test_name=$2
shift
;;
--log-file)
log_file=$2
shift
;;
--trs-file)
trs_file=$2
junit_file=$(echo $trs_file | sed 's/\.trs$/\.xml/')
shift
;;
--color-tests)
color_tests=$2
shift
;;
--expect-failure)
expect_failure=$2
shift
;;
--enable-hard-errors)
enable_hard_errors=$2
shift
;;
--verbose)
verbose=$2
shift
;;
--)
shift
break
;;
-*) usage_error "invalid option: '$1'" ;;
*) break ;;
esac
shift
done
missing_opts=
test x"$test_name" = x && missing_opts="$missing_opts --test-name"
test x"$log_file" = x && missing_opts="$missing_opts --log-file"
test x"$trs_file" = x && missing_opts="$missing_opts --trs-file"
test x"$log_file" = x && missing_opts="$missing_opts --log-file"
test x"$trs_file" = x && missing_opts="$missing_opts --trs-file"
if test x"$missing_opts" != x; then
usage_error "the following mandatory options are missing:$missing_opts"
fi
@ -117,7 +146,7 @@ else
fi
# Run junit to trs converter script.
./convert-junit-to-trs.py $junit_file > $trs_file
./convert-junit-to-trs.py $junit_file >$trs_file
estatus=$?
if test $enable_hard_errors = no && test $estatus -eq 99; then
@ -127,12 +156,12 @@ else
fi
case $tweaked_estatus:$expect_failure in
0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
0:*) col=$grn res=PASS recheck=no gcopy=no;;
77:*) col=$blu res=SKIP recheck=no gcopy=yes;;
99:*) col=$mgn res=ERROR recheck=yes gcopy=yes;;
*:yes) col=$lgn res=XFAIL recheck=no gcopy=yes;;
*:*) col=$red res=FAIL recheck=yes gcopy=yes;;
0:yes) col=$red res=XPASS recheck=yes gcopy=yes ;;
0:*) col=$grn res=PASS recheck=no gcopy=no ;;
77:*) col=$blu res=SKIP recheck=no gcopy=yes ;;
99:*) col=$mgn res=ERROR recheck=yes gcopy=yes ;;
*:yes) col=$lgn res=XFAIL recheck=no gcopy=yes ;;
*:*) col=$red res=FAIL recheck=yes gcopy=yes ;;
esac
# Report the test outcome and exit status in the logs, so that one can
@ -145,9 +174,9 @@ echo "$res $test_name (exit status: $estatus)" >>$log_file
echo "${col}${res}${std}: $test_name"
# Register other relevant test metadata.
echo ":global-test-result: $res" >> $trs_file
echo ":recheck: $recheck" >> $trs_file
echo ":copy-in-global-log: $gcopy" >> $trs_file
echo ":global-test-result: $res" >>$trs_file
echo ":recheck: $recheck" >>$trs_file
echo ":copy-in-global-log: $gcopy" >>$trs_file
# Local Variables:
# mode: shell-script

19
bin/tests/system/database/tests.sh
View File

@ -27,8 +27,8 @@ RNDCCMD="$RNDC -s 10.53.0.1 -p ${CONTROLPORT} -c ../_common/rndc.conf"
echo_i "checking pre reload zone ($n)"
ret=0
$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "hostmaster\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1
grep "hostmaster\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -39,14 +39,13 @@ $RNDCCMD reload 2>&1 >/dev/null
echo_i "checking post reload zone ($n)"
ret=1
try=0
while test $try -lt 6
do
sleep 1
ret=0
$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "marka\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1
try=$((try + 1))
test $ret -eq 0 && break
while test $try -lt 6; do
sleep 1
ret=0
$DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1
grep "marka\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1
try=$((try + 1))
test $ret -eq 0 && break
done
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi

42
bin/tests/system/dialup/tests.sh
View File

@ -23,21 +23,19 @@ DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p ${PORT}"
# Check the example. domain
$DIG $DIGOPTS example. @10.53.0.1 soa > dig.out.ns1.test || ret=1
$DIG $DIGOPTS example. @10.53.0.1 soa >dig.out.ns1.test || ret=1
echo_i "checking that first zone transfer worked"
ret=0
try=0
while test $try -lt 120
do
$DIG $DIGOPTS example. @10.53.0.2 soa > dig.out.ns2.test || ret=1
if grep SERVFAIL dig.out.ns2.test > /dev/null
then
try=$((try + 1))
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns2.test || ret=1
break;
fi
while test $try -lt 120; do
$DIG $DIGOPTS example. @10.53.0.2 soa >dig.out.ns2.test || ret=1
if grep SERVFAIL dig.out.ns2.test >/dev/null; then
try=$((try + 1))
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns2.test || ret=1
break
fi
done
echo_i "try $try"
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -46,17 +44,15 @@ status=$((status + ret))
echo_i "checking that second zone transfer worked"
ret=0
try=0
while test $try -lt 120
do
$DIG $DIGOPTS example. @10.53.0.3 soa > dig.out.ns3.test || ret=1
if grep SERVFAIL dig.out.ns3.test > /dev/null
then
try=$((try + 1))
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns3.test || ret=1
break;
fi
while test $try -lt 120; do
$DIG $DIGOPTS example. @10.53.0.3 soa >dig.out.ns3.test || ret=1
if grep SERVFAIL dig.out.ns3.test >/dev/null; then
try=$((try + 1))
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns3.test || ret=1
break
fi
done
echo_i "try $try"
if [ $ret != 0 ]; then echo_i "failed"; fi

10
bin/tests/system/digdelv/ns1/sign.sh
View File

@ -16,7 +16,7 @@
set -e
(cd ../ns2 && $SHELL sign.sh )
(cd ../ns2 && $SHELL sign.sh)
cp "../ns2/dsset-example." .
@ -24,8 +24,8 @@ ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone .)
cp root.db.in root.db
"$SIGNER" -Sgz -f root.db -o . root.db.in > /dev/null 2>&1
"$SIGNER" -Sgz -f root.db -o . root.db.in >/dev/null 2>&1
keyfile_to_key_id "$ksk" > keyid
grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata
keyfile_to_initial_keys "$ksk" > anchor.dnskey
keyfile_to_key_id "$ksk" >keyid
grep -Ev '^;' <"$ksk.key" | cut -f 7- -d ' ' >keydata
keyfile_to_initial_keys "$ksk" >anchor.dnskey

12
bin/tests/system/digdelv/ns2/sign.sh
View File

@ -20,13 +20,13 @@ ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.)
cp example.db.in example.db
"$SIGNER" -Sz -f example.db -o example example.db.in > /dev/null 2>&1
"$SIGNER" -Sz -f example.db -o example example.db.in >/dev/null 2>&1
keyfile_to_key_id "$ksk" > keyid
grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata
keyfile_to_key_id "$ksk" >keyid
grep -Ev '^;' <"$ksk.key" | cut -f 7- -d ' ' >keydata
keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey
keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds
keyfile_to_initial_keys "$ksk" >../ns3/anchor.dnskey
keyfile_to_initial_ds "$ksk" >../ns3/anchor.ds
ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.tld.)
"$SIGNER" -Sz -f example.tld.db -o example.tld example.db.in > /dev/null 2>&1
"$SIGNER" -Sz -f example.tld.db -o example.tld example.db.in >/dev/null 2>&1

14
bin/tests/system/digdelv/prereq.sh
View File

@ -13,16 +13,14 @@
. ../conf.sh
if ! ${PYTHON} -c 'import dns'
then
echo_i "python dns module is required"
exit 1
if ! ${PYTHON} -c 'import dns'; then
echo_i "python dns module is required"
exit 1
fi
if ! ${PERL} -MNet::DNS -e ''
then
echo_i "perl Net::DNS module is required"
exit 1
if ! ${PERL} -MNet::DNS -e ''; then
echo_i "perl Net::DNS module is required"
exit 1
fi
exit 0

1314
bin/tests/system/digdelv/tests.sh
View File

File diff suppressed because it is too large Load Diff

4
bin/tests/system/dlzexternal/prereq.sh
View File

@ -14,8 +14,8 @@
. ../conf.sh
$FEATURETEST --tsan && {
echo_i "TSAN - skipping dlzexternal test"
exit 255
echo_i "TSAN - skipping dlzexternal test"
exit 255
}
exit 0

2
bin/tests/system/dlzexternal/setup.sh
View File

@ -13,6 +13,6 @@
. ../conf.sh
$TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
$TSIGKEYGEN ddns-key.example.nil >ns1/ddns.key
copy_setports ns1/named.conf.in ns1/named.conf

140
bin/tests/system/dlzexternal/tests.sh
View File

@ -22,39 +22,39 @@ DIGOPTS="@10.53.0.1 -p ${PORT} +nocookie"
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
newtest() {
n=$((n + 1))
echo_i "${1} (${n})"
ret=0
n=$((n + 1))
echo_i "${1} (${n})"
ret=0
}
test_update() {
host="$1"
type="$2"
cmd="$3"
digout="$4"
should_fail="$5"
host="$1"
type="$2"
cmd="$3"
digout="$4"
should_fail="$5"
cat <<EOF > ns1/update.txt
cat <<EOF >ns1/update.txt
server 10.53.0.1 ${PORT}
update add $host $cmd
send
EOF
newtest "testing update for $host $type $cmd${comment:+ }$comment"
$NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 || {
[ "$should_fail" ] || \
echo_i "update failed for $host $type $cmd"
return 1
}
newtest "testing update for $host $type $cmd${comment:+ }$comment"
$NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 || {
[ "$should_fail" ] \
|| echo_i "update failed for $host $type $cmd"
return 1
}
out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host")
lines=$(echo "$out" | grep "$digout" | wc -l)
[ $lines -eq 1 ] || {
[ "$should_fail" ] || \
echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
return 0
out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host")
lines=$(echo "$out" | grep "$digout" | wc -l)
[ $lines -eq 1 ] || {
[ "$should_fail" ] \
|| echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
return 0
}
test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
@ -70,19 +70,19 @@ test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fai
status=$((status + ret))
newtest "testing nxrrset"
$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n || ret=1
grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1
$DIG $DIGOPTS testdc1.example.nil AAAA >dig.out.$n || ret=1
grep "status: NOERROR" dig.out.$n >/dev/null || ret=1
grep "ANSWER: 0" dig.out.$n >/dev/null || ret=1
status=$((status + ret))
newtest "testing prerequisites are checked correctly"
cat > ns1/update.txt << EOF
cat >ns1/update.txt <<EOF
server 10.53.0.1 ${PORT}
prereq nxdomain testdc3.example.nil
update add testdc3.example.nil 86500 in a 10.53.0.12
send
EOF
$NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 && ret=1
$NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 && ret=1
out=$($DIG $DIGOPTS +short a testdc3.example.nil)
[ "$out" = "10.53.0.12" ] && ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
@ -98,10 +98,10 @@ status=$((status + ret))
newtest "testing DLZ driver is cleaned up on reload"
rndc_reload ns1 10.53.0.1
for i in 0 1 2 3 4 5 6 7 8 9; do
ret=0
grep 'dlz_example: shutting down zone example.nil' ns1/named.run > /dev/null 2>&1 || ret=1
[ "$ret" -eq 0 ] && break
sleep 1
ret=0
grep 'dlz_example: shutting down zone example.nil' ns1/named.run >/dev/null 2>&1 || ret=1
[ "$ret" -eq 0 ] && break
sleep 1
done
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -111,53 +111,53 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
status=$((status + ret))
newtest "testing AXFR from DLZ drivers"
$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n || ret=1
$DIG $DIGOPTS +noall +answer axfr example.nil >dig.out.example.ns1.test$n || ret=1
lines=$(cat dig.out.example.ns1.test$n | wc -l)
[ ${lines:-0} -eq 4 ] || ret=1
$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n || ret=1
$DIG $DIGOPTS +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n || ret=1
lines=$(cat dig.out.alternate.ns1.test$n | wc -l)
[ ${lines:-0} -eq 5 ] || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing AXFR denied from DLZ drivers"
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n || ret=1
grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil >dig.out.example.ns1.test$n || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n >/dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n || ret=1
grep "; Transfer failed" dig.out.alternate.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing AXFR denied based on view ACL"
# 10.53.0.1 should be disallowed
$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1 || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org >dig.out.example.ns1.test$n.1 || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n.1 >/dev/null || ret=1
# 10.53.0.2 should be allowed
$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2 || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1
$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org >dig.out.example.ns1.test$n.2 || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n.2 >/dev/null && ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing unsearched/unregistered DLZ zone is not found"
$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noall +answer ns other.nil >dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n >/dev/null && ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing unsearched/registered DLZ zone is found"
$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing unsearched/registered DLZ zone is found"
$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing correct behavior with findzone returning ISC_R_NOMORE"
$DIG $DIGOPTS +noall a test.example.com > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS +noall a test.example.com >/dev/null 2>&1 || ret=1
# we should only find one logged lookup per searched DLZ database
lines=$(grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l)
[ $lines -eq 1 ] || ret=1
@ -167,13 +167,13 @@ lines=$(grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run |
status=$((status + ret))
newtest "testing findzone can return different results per client"
$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net >/dev/null 2>&1 || ret=1
# we should only find one logged lookup per searched DLZ database
lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l)
[ $lines -eq 1 ] || ret=1
lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l)
[ $lines -eq 1 ] || ret=1
$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net >/dev/null 2>&1 || ret=1
# we should find several logged lookups this time
lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l)
[ $lines -gt 2 ] || ret=1
@ -183,47 +183,47 @@ lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l
status=$((status + ret))
newtest "testing zone returning oversized data"
$DIG $DIGOPTS txt too-long.example.nil > dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS txt too-long.example.nil >dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing zone returning oversized data at zone origin"
$DIG $DIGOPTS txt bigcname.domain > dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS txt bigcname.domain >dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "checking redirected lookup for nonexistent name"
$DIG $DIGOPTS @10.53.0.1 unexists a > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 unexists a >dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
newtest "checking no redirected lookup for nonexistent type"
$DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 exists aaaa >dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
newtest "checking redirected lookup for a long nonexistent name"
$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a >dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n >/dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1
lookups=$(grep "lookup #.*\.not\.there" ns1/named.run | wc -l)
[ "$lookups" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
newtest "checking ECS data is passed to driver in clientinfo"
$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt > dig.out.ns1.test$n.1 || ret=1
grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS +short source-addr.example.nil txt > dig.out.ns1.test$n.2 || ret=1
grep "not.*present" dig.out.ns1.test$n.2 > /dev/null || ret=1
$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt >dig.out.ns1.test$n.1 || ret=1
grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS +short source-addr.example.nil txt >dig.out.ns1.test$n.2 || ret=1
grep "not.*present" dig.out.ns1.test$n.2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))

4
bin/tests/system/dns64/ns1/sign.sh
View File

@ -20,6 +20,6 @@ zonefile=signed.db
key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM $zone)
key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone)
cat $infile $key1.key $key2.key > $zonefile
cat $infile $key1.key $key2.key >$zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null
$SIGNER -P -g -o $zone $zonefile >/dev/null

981
bin/tests/system/dns64/tests.sh
View File

File diff suppressed because it is too large Load Diff

20
bin/tests/system/dnssec/ns1/sign.sh
View File

@ -20,9 +20,9 @@ zone=.
infile=root.db.in
zonefile=root.db
(cd ../ns2 && $SHELL sign.sh )
(cd ../ns6 && $SHELL sign.sh )
(cd ../ns7 && $SHELL sign.sh )
(cd ../ns2 && $SHELL sign.sh)
(cd ../ns6 && $SHELL sign.sh)
(cd ../ns7 && $SHELL sign.sh)
echo_i "ns1/sign.sh"
@ -30,18 +30,18 @@ cp "../ns2/dsset-example." .
cp "../ns2/dsset-in-addr.arpa." .
cp "../ns2/dsset-too-many-iterations." .
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." > "dsset-algroll."
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll."
cp "../ns6/dsset-optout-tld." .
ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
# Configure the resolving server with a staitc key.
keyfile_to_static_ds "$ksk" > trusted.conf
keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
@ -49,14 +49,14 @@ cp trusted.conf ../ns6/trusted.conf
cp trusted.conf ../ns7/trusted.conf
cp trusted.conf ../ns9/trusted.conf
keyfile_to_trusted_keys "$ksk" > trusted.keys
keyfile_to_trusted_keys "$ksk" >trusted.keys
# ...or with an initializing key.
keyfile_to_initial_ds "$ksk" > managed.conf
keyfile_to_initial_ds "$ksk" >managed.conf
cp managed.conf ../ns4/managed.conf
#
# Save keyid for managed key id test.
#
keyfile_to_key_id "$ksk" > managed.key.id
keyfile_to_key_id "$ksk" >managed.key.id

136
bin/tests/system/dnssec/ns2/sign.sh
View File

@ -17,15 +17,14 @@
set -e
# Sign child zones (served by ns3).
( cd ../ns3 && $SHELL sign.sh )
(cd ../ns3 && $SHELL sign.sh)
echo_i "ns2/sign.sh"
# Get the DS records for the "trusted." and "managed." zones.
for subdomain in secure unsupported disabled enabled
do
cp "../ns3/dsset-$subdomain.managed." .
cp "../ns3/dsset-$subdomain.trusted." .
for subdomain in secure unsupported disabled enabled; do
cp "../ns3/dsset-$subdomain.managed." .
cp "../ns3/dsset-$subdomain.trusted." .
done
# Sign the "trusted." and "managed." zones.
@ -36,9 +35,9 @@ zonefile=managed.db
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
zone=trusted.
infile=key.db.in
@ -47,9 +46,9 @@ zonefile=trusted.db
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
# The "example." zone.
zone=example.
@ -58,23 +57,22 @@ zonefile=example.db
# Get the DS records for the "example." zone.
for subdomain in secure badds bogus dynamic keyless nsec3 optout \
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
dnskey-nsec3-unknown managed-future revkey \
dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024
do
cp "../ns3/dsset-$subdomain.example." .
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
dnskey-nsec3-unknown managed-future revkey \
dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024; do
cp "../ns3/dsset-$subdomain.example." .
done
# Sign the "example." zone.
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
#
# lower/uppercase the signature bits with the exception of the last characters
@ -82,8 +80,8 @@ cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
#
zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" |
awk '
"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
| awk '
tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
for (i = 1; i <= NF; i++ ) {
if (i <= 12) {
@ -122,7 +120,7 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
next;
}
{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed"
{ print; }' >"$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed"
#
# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned.
@ -134,8 +132,8 @@ zonefile=in-addr.arpa.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
# Sign the badparam secure file
@ -146,11 +144,11 @@ zonefile=badparam.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad"
sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" >"$zonefile.bad"
# Sign the single-nsec3 secure zone with optout
@ -161,9 +159,9 @@ zonefile=single-nsec3.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
#
# algroll has just has the old DNSKEY records removed and is waiting
@ -179,9 +177,9 @@ keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zon
keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile"
"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" >/dev/null 2>&1
#
# Make a zone big enough that it takes several seconds to generate a new
@ -189,7 +187,7 @@ cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
#
zone=nsec3chain-test
zonefile=nsec3chain-test.db
cat > "$zonefile" << EOF
cat >"$zonefile" <<EOF
\$TTL 10
@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200
@ 10 NS ns2
@ -199,22 +197,22 @@ ns3 10 A 10.53.0.3
EOF
i=1
while [ $i -le 300 ]; do
echo "host$i 10 IN NS ns.elsewhere"
i=$((i+1))
done >> "$zonefile"
echo "host$i 10 IN NS ns.elsewhere"
i=$((i + 1))
done >>"$zonefile"
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$key1.key" "$key2.key" >> "$zonefile"
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
cat "$key1.key" "$key2.key" >>"$zonefile"
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1
zone=cds.secure
infile=cds.secure.db.in
zonefile=cds.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
"$DSFROMKEY" -C "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-x.secure
infile=cds.secure.db.in
@ -222,35 +220,35 @@ zonefile=cds-x.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
"$DSFROMKEY" -C "$key2.key" > "$key2.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile"
"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
"$DSFROMKEY" -C "$key2.key" >"$key2.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile"
"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-update.secure
infile=cds-update.secure.db.in
zonefile=cds-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
keyfile_to_key_id "$key1" > cds-update.secure.id
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
keyfile_to_key_id "$key1" >cds-update.secure.id
zone=cds-auto.secure
infile=cds-auto.secure.db.in
zonefile=cds-auto.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
$SETTIME -P sync now "$key1" > /dev/null
cat "$infile" > "$zonefile.signed"
$SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
zone=cdnskey.secure
infile=cdnskey.secure.db.in
zonefile=cdnskey.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-x.secure
infile=cdnskey.secure.db.in
@ -258,26 +256,26 @@ zonefile=cdnskey-x.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile"
"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-update.secure
infile=cdnskey-update.secure.db.in
zonefile=cdnskey-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
keyfile_to_key_id "$key1" > cdnskey-update.secure.id
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
keyfile_to_key_id "$key1" >cdnskey-update.secure.id
zone=cdnskey-auto.secure
infile=cdnskey-auto.secure.db.in
zonefile=cdnskey-auto.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
$SETTIME -P sync now "$key1" > /dev/null
cat "$infile" > "$zonefile.signed"
$SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
zone=updatecheck-kskonly.secure
infile=template.secure.db.in
@ -285,15 +283,15 @@ zonefile=${zone}.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
# Save key id's for checking active key usage
keyfile_to_key_id "$key1" > $zone.ksk.id
keyfile_to_key_id "$key2" > $zone.zsk.id
echo "${key1}" > $zone.ksk.key
echo "${key2}" > $zone.zsk.key
keyfile_to_key_id "$key1" >$zone.ksk.id
keyfile_to_key_id "$key2" >$zone.zsk.id
echo "${key1}" >$zone.ksk.key
echo "${key2}" >$zone.zsk.key
# Make sure dnssec-policy adds CDS and CDNSKEY records
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now $key1 > settime.out.$zone.ksk 2>&1
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 > settime.out.$zone.zsk 2>&1
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now $key1 >settime.out.$zone.ksk 2>&1
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 >settime.out.$zone.zsk 2>&1
# Don't sign, let dnssec-policy maintain do it.
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
mv $zonefile "$zonefile.signed"
zone=hours-vs-days
@ -301,8 +299,8 @@ infile=hours-vs-days.db.in
zonefile=hours-vs-days.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
$SETTIME -P sync now "$key1" > /dev/null
cat "$infile" > "$zonefile.signed"
$SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
#
# Negative result from this zone should come back as insecure.
@ -312,5 +310,5 @@ infile=too-many-iterations.db.in
zonefile=too-many-iterations.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1

2
bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh
View File

@ -20,7 +20,7 @@
zone=rsasha1-1024.example
k1=$("$KEYGEN" -a rsasha1 -b 1024 $zone)
k2=$("$KEYGEN" -a rsasha1 -b 1024 -f KSK $zone)
cat $zone.db.in $k1.key $k2.key > $zone.tmp
cat $zone.db.in $k1.key $k2.key >$zone.tmp
# use maximum expirey period (-e 2^31-1-3600)
# use output format full for easy extraction of KSK (-O full)
"$SIGNER" -e +2147480047 -o $zone -f $zone.db -O full $zone.tmp

2
bin/tests/system/dnssec/ns3/sign-rsasha1.sh
View File

@ -20,7 +20,7 @@
zone=rsasha1.example
k1=$("$KEYGEN" -a rsasha1 $zone)
k2=$("$KEYGEN" -a rsasha1 -f KSK $zone)
cat $zone.db.in $k1.key $k2.key > $zone.tmp
cat $zone.db.in $k1.key $k2.key >$zone.tmp
# use maximum expirey period (-e 2^31-1-3600)
# use output format full for easy extraction of KSK (-O full)
"$SIGNER" +2147480047 -o $zone -f $zone.db -O full $zone.tmp

307
bin/tests/system/dnssec/ns3/sign.sh
View File

@ -19,61 +19,60 @@ set -e
echo_i "ns3/sign.sh"
infile=key.db.in
for tld in managed trusted
do
# A secure zone to test.
zone=secure.${tld}
zonefile=${zone}.db
for tld in managed trusted; do
# A secure zone to test.
zone=secure.${tld}
zonefile=${zone}.db
keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
# Zone to test trust anchor that matches disabled algorithm.
zone=disabled.${tld}
zonefile=${zone}.db
# Zone to test trust anchor that matches disabled algorithm.
zone=disabled.${tld}
zonefile=${zone}.db
keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname2.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname2.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
# Zone to test trust anchor that has disabled algorithm for other domain.
zone=enabled.${tld}
zonefile=${zone}.db
# Zone to test trust anchor that has disabled algorithm for other domain.
zone=enabled.${tld}
zonefile=${zone}.db
keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname3.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname3.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
# Zone to test trust anchor with unsupported algorithm.
zone=unsupported.${tld}
zonefile=${zone}.db
# Zone to test trust anchor with unsupported algorithm.
zone=unsupported.${tld}
zonefile=${zone}.db
keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname4.key" > "$zonefile"
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname4.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
# Make trusted-keys and managed keys conf sections for ns8.
mv ${keyname4}.key ${keyname4}.tmp
awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key
# Make trusted-keys and managed keys conf sections for ns8.
mv ${keyname4}.key ${keyname4}.tmp
awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key
# Zone to test trust anchor that is revoked.
zone=revoked.${tld}
zonefile=${zone}.db
# Zone to test trust anchor that is revoked.
zone=revoked.${tld}
zonefile=${zone}.db
keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname5.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname5.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
case $tld in
"managed")
keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf
;;
"trusted")
keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf
;;
esac
case $tld in
"managed")
keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf
;;
"trusted")
keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf
;;
esac
done
echo_i "ns3/sign.sh: example zones"
@ -86,9 +85,9 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n
dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
zone=bogus.example.
infile=bogus.example.db.in
@ -96,9 +95,9 @@ zonefile=bogus.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
zone=dynamic.example.
infile=dynamic.example.db.in
@ -107,9 +106,9 @@ zonefile=dynamic.example.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -o "$zone" "$zonefile" >/dev/null
zone=keyless.example.
infile=generic.example.db.in
@ -117,16 +116,16 @@ zonefile=keyless.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
# Change the signer field of the a.b.keyless.example RRSIG A
# to point to a provably nonexistent DNSKEY record.
zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
mv "$zonefile.signed" "$zonefiletmp"
<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/
if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed"
"$PERL" <"$zonefiletmp" -p -e 's/ keyless.example/ b.keyless.example/
if /^a.b.keyless.example/../A RRSIG NSEC/;' >"$zonefile.signed"
rm -f "$zonefiletmp"
#
@ -138,9 +137,9 @@ zonefile=secure.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
#
# NSEC3/NSEC3 test zone
@ -151,9 +150,9 @@ zonefile=nsec3.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC3 test zone
@ -164,9 +163,9 @@ zonefile=optout.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A nsec3 zone (non-optout).
@ -177,9 +176,9 @@ zonefile=nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC test zone
@ -190,9 +189,9 @@ zonefile=secure.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC3 test zone
@ -203,9 +202,9 @@ zonefile=nsec3.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/OPTOUT test zone
@ -216,9 +215,9 @@ zonefile=optout.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A optout nsec3 zone.
@ -229,9 +228,9 @@ zonefile=optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
@ -242,9 +241,9 @@ zonefile=nsec3-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" >/dev/null
#
# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
@ -255,9 +254,9 @@ zonefile=optout-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" >/dev/null
#
# A zone that is signed with an unknown DNSKEY algorithm.
@ -269,14 +268,14 @@ zonefile=dnskey-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed
awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}."
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A zone that is signed with an unsupported DNSKEY algorithm (3).
@ -288,14 +287,14 @@ zonefile=dnskey-unsupported.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}."
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A zone with a published unsupported DNSKEY algorithm (Reserved).
@ -308,9 +307,9 @@ zonefile=dnskey-unsupported-2.example.db
ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile"
"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null
"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null
#
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
@ -322,14 +321,14 @@ zonefile=dnskey-nsec3-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}."
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A multiple parameter nsec3 zone.
@ -340,20 +339,20 @@ zonefile=multiple.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -O full -o "$zone" "$zonefile" > /dev/null
awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC
"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" > /dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3
"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null
cat NSEC NSEC3 >> "$zonefile".signed
"$SIGNER" -z -O full -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC
"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3
"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" >/dev/null
cat NSEC NSEC3 >>"$zonefile".signed
#
# A RSASHA256 zone.
@ -364,9 +363,9 @@ zonefile=rsasha256.example.db
keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A RSASHA512 zone.
@ -377,9 +376,9 @@ zonefile=rsasha512.example.db
keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A zone with the DNSKEY set only signed by the KSK
@ -390,8 +389,8 @@ zonefile=kskonly.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -x -o "$zone" "$zonefile" >/dev/null
#
# A zone with the expired signatures
@ -402,8 +401,8 @@ zonefile=expired.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" >/dev/null
rm -f "$kskname.*" "$zskname.*"
#
@ -415,8 +414,8 @@ zonefile=update-nsec3.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# A NSEC signed zone that will have dnssec-policy enabled and
@ -428,10 +427,10 @@ zonefile=auto-nsec.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" >/dev/null
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" >/dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A NSEC3 signed zone that will have dnssec-policy enabled and
@ -443,10 +442,10 @@ zonefile=auto-nsec3.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" >/dev/null
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" >/dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# Secure below cname test zone.
@ -455,8 +454,8 @@ zone=secure.below-cname.example.
infile=secure.below-cname.example.db.in
zonefile=secure.below-cname.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# Patched TTL test zone.
@ -468,11 +467,11 @@ signedfile=ttlpatch.example.db.signed
patchedfile=ttlpatch.example.db.patched
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null
$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \
awk '{$2 = "3600"; print}' > $patchedfile
"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" >/dev/null
$CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \
| awk '{$2 = "3600"; print}' >$patchedfile
#
# Separate DNSSEC records.
@ -483,10 +482,10 @@ zonefile=split-dnssec.example.db
signedfile=split-dnssec.example.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$keyname.key" >"$zonefile"
echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
: >"$signedfile"
"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null
#
# Separate DNSSEC records smart signing.
@ -499,9 +498,9 @@ signedfile=split-smart.example.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cp "$infile" "$zonefile"
# shellcheck disable=SC2016
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null
echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
: >"$signedfile"
"$SIGNER" -P -S -D -o "$zone" "$zonefile" >/dev/null
#
# Zone with signatures about to expire, but no private key to replace them
@ -513,7 +512,7 @@ signedfile="expiring.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" >/dev/null
mv -f "${zskname}.private" "${zskname}.private.moved"
mv -f "${kskname}.private" "${kskname}.private.moved"
@ -528,9 +527,9 @@ signedfile="upper.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null
$CHECKZONE -D upper.example $lower 2>/dev/null | \
sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null
$CHECKZONE -D upper.example $lower 2>/dev/null \
| sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile
#
# Check that the signer's name is in lower case when zone name is in
@ -543,7 +542,7 @@ signedfile="lower.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null
#
# An inline signing zone
@ -572,10 +571,10 @@ zonefile=badds.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
sed -e 's/bogus/badds/g' < dsset-bogus.example. > dsset-badds.example.
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
sed -e 's/bogus/badds/g' <dsset-bogus.example. >dsset-badds.example.
#
# A zone with future signatures.
@ -585,8 +584,8 @@ infile=future.example.db.in
zonefile=future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null
cp -f "$kskname.key" trusted-future.key
#
@ -597,8 +596,8 @@ infile=managed-future.example.db.in
zonefile=managed-future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null
#
# A zone with a revoked key
@ -612,8 +611,8 @@ ksk1=$("$REVOKE" "$ksk1")
ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone")
cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
@ -625,7 +624,7 @@ zonefile=dname-at-apex-nsec3.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# A NSEC zone with occluded data at the delegation
@ -637,10 +636,10 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -n HOST -T KEY "delegation.$zone")
$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}."
$DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}."
cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
"${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# Pre-signed zone for FIPS validation of RSASHA1 signed zones
@ -651,10 +650,10 @@ cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
#
zone=rsasha1.example
zonefile=rsasha1.example.db
awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" |
$DSFROMKEY -f - "$zone" > "dsset-${zone}."
awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \
| $DSFROMKEY -f - "$zone" >"dsset-${zone}."
zone=rsasha1-1024.example
zonefile=rsasha1-1024.example.db
awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" |
$DSFROMKEY -f - "$zone" > "dsset-${zone}."
awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \
| $DSFROMKEY -f - "$zone" >"dsset-${zone}."

12
bin/tests/system/dnssec/ns5/sign.sh
View File

@ -25,15 +25,15 @@ zonefile=root.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
# copy the KSK out first, then revoke it
keyfile_to_initial_ds "$keyname" > revoked.conf
keyfile_to_initial_ds "$keyname" >revoked.conf
"$SETTIME" -R now "${keyname}.key" > /dev/null
"$SETTIME" -R now "${keyname}.key" >/dev/null
# create a current set of keys, and sign the root zone
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null
"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone >/dev/null
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone >/dev/null
"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" >/dev/null 2>&1
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
keyfile_to_static_ds "$keyname" > trusted.conf
keyfile_to_static_ds "$keyname" >trusted.conf

4
bin/tests/system/dnssec/ns6/sign.sh
View File

@ -24,6 +24,6 @@ zonefile=optout-tld.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null 2>&1

6
bin/tests/system/dnssec/ns7/sign.sh
View File

@ -25,7 +25,7 @@ zonefile=split-rrsig.db
k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$k1.key" "$k2.key" > "$zonefile"
cat "$infile" "$k1.key" "$k2.key" >"$zonefile"
# The awk script below achieves two goals:
#
@ -37,8 +37,8 @@ cat "$infile" "$k1.key" "$k2.key" > "$zonefile"
# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the
# zone apex; the test then checks whether such signatures are automatically
# removed from the zone after it is loaded.
"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1
awk 'BEGIN { r = ""; }
$4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; }
{ print }
END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed"
END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed"

14
bin/tests/system/dnssec/prereq.sh
View File

@ -13,16 +13,14 @@
. ../conf.sh
if ! ${PYTHON} -c 'import dns'
then
echo_i "python dns module is required"
exit 1
if ! ${PYTHON} -c 'import dns'; then
echo_i "python dns module is required"
exit 1
fi
if ! ${PERL} -MNet::DNS -e ''
then
echo_i "perl Net::DNS module is required"
exit 1
if ! ${PERL} -MNet::DNS -e ''; then
echo_i "perl Net::DNS module is required"
exit 1
fi
exit 0

22
bin/tests/system/dnssec/setup.sh
View File

@ -32,21 +32,21 @@ copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
(
cd ns1
$SHELL sign.sh
{
echo "a.bogus.example. A 10.0.0.22"
echo "b.bogus.example. A 10.0.0.23"
echo "c.bogus.example. A 10.0.0.23"
} >>../ns3/bogus.example.db.signed
cd ns1
$SHELL sign.sh
{
echo "a.bogus.example. A 10.0.0.22"
echo "b.bogus.example. A 10.0.0.23"
echo "c.bogus.example. A 10.0.0.23"
} >>../ns3/bogus.example.db.signed
)
(
cd ns3
cp -f siginterval1.conf siginterval.conf
cd ns3
cp -f siginterval1.conf siginterval.conf
)
(
cd ns5
$SHELL sign.sh
cd ns5
$SHELL sign.sh
)

4129
bin/tests/system/dnssec/tests.sh
View File

File diff suppressed because it is too large Load Diff

4
bin/tests/system/dnstap/prereq.sh
View File

@ -14,7 +14,7 @@
. ../conf.sh
$FEATURETEST --enable-dnstap || {
echo_i "This test requires dnstap support." >&2
exit 255
echo_i "This test requires dnstap support." >&2
exit 255
}
exit 0

809
bin/tests/system/dnstap/tests.sh
View File

File diff suppressed because it is too large Load Diff

10
bin/tests/system/doth/prereq.sh
View File

@ -14,13 +14,13 @@
. ../conf.sh
$FEATURETEST --with-libnghttp2 || {
echo_i "This test requires libnghttp2 support." >&2
exit 255
echo_i "This test requires libnghttp2 support." >&2
exit 255
}
$FEATURETEST --have-fips-dh || {
echo_i "FIPS mode Diffie-Hellman not working - skipping doth test"
exit 255
$FEATURETEST --have-fips-dh || {
echo_i "FIPS mode Diffie-Hellman not working - skipping doth test"
exit 255
}
exit 0

14
bin/tests/system/doth/setup.sh
View File

@ -15,15 +15,15 @@
$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 >ns1/example.db
echo '; huge answer' >> ns1/example.db
echo '; huge answer' >>ns1/example.db
x=1
while [ $x -le 50 ]; do
y=1
while [ $y -le 50 ]; do
printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >> ns1/example.db
y=$((y+1))
done
x=$((x+1))
y=1
while [ $y -le 50 ]; do
printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >>ns1/example.db
y=$((y + 1))
done
x=$((x + 1))
done
copy_setports ns1/named.conf.in ns1/named.conf

629
bin/tests/system/doth/tests.sh
View File

File diff suppressed because it is too large Load Diff

6
bin/tests/system/dsdigest/ns1/sign.sh
View File

@ -25,12 +25,12 @@ cp ../ns2/dsset-bad. .
key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
cat $infile $key1.key $key2.key > $zonefile
cat $infile $key1.key $key2.key >$zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null
$SIGNER -P -g -o $zone $zonefile >/dev/null
# Configure the resolving server with a static key.
keyfile_to_static_ds $key2 > trusted.conf
keyfile_to_static_ds $key2 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf

13
bin/tests/system/dsdigest/ns2/sign.sh
View File

@ -28,16 +28,15 @@ keyname22=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone2)
cat $infile1 $keyname11.key $keyname12.key >$zonefile1
cat $infile2 $keyname21.key $keyname22.key >$zonefile2
$SIGNER -P -g -o $zone1 $zonefile1 > /dev/null
$SIGNER -P -g -o $zone2 $zonefile2 > /dev/null
$SIGNER -P -g -o $zone1 $zonefile1 >/dev/null
$SIGNER -P -g -o $zone2 $zonefile2 >/dev/null
DSFILENAME1=dsset-${zone1}.
DSFILENAME2=dsset-${zone2}.
$DSFROMKEY -a SHA-256 $keyname12 > $DSFILENAME1
$DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2
$DSFROMKEY -a SHA-256 $keyname12 >$DSFILENAME1
$DSFROMKEY -a SHA-256 $keyname22 >$DSFILENAME2
algo=SHA-384
$DSFROMKEY -a $algo $keyname12 >> $DSFILENAME1
$DSFROMKEY -a $algo $keyname22 > $DSFILENAME2
$DSFROMKEY -a $algo $keyname12 >>$DSFILENAME1
$DSFROMKEY -a $algo $keyname22 >$DSFILENAME2

22
bin/tests/system/dsdigest/tests.sh
View File

@ -25,9 +25,9 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
echo_i "checking that validation with enabled digest types works"
ret=0
$DIG $DIGOPTS a.good. @10.53.0.3 a > dig.out.good || ret=1
grep "status: NOERROR" dig.out.good > /dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.good > /dev/null || ret=1
$DIG $DIGOPTS a.good. @10.53.0.3 a >dig.out.good || ret=1
grep "status: NOERROR" dig.out.good >/dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.good >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -35,19 +35,19 @@ status=$((status + ret))
echo_i "checking that validation with no supported digest types and must-be-secure results in SERVFAIL"
ret=0
$DIG $DIGOPTS a.bad. @10.53.0.3 a > dig.out.bad || ret=1
grep "SERVFAIL" dig.out.bad > /dev/null || ret=1
$DIG $DIGOPTS a.bad. @10.53.0.3 a >dig.out.bad || ret=1
grep "SERVFAIL" dig.out.bad >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking that validation with no supported digest algorithms results in insecure"
ret=0
$DIG $DIGOPTS bad. @10.53.0.4 ds > dig.out.ds || ret=1
grep "NOERROR" dig.out.ds > /dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ds > /dev/null || ret=1
$DIG $DIGOPTS a.bad. @10.53.0.4 a > dig.out.insecure || ret=1
grep "NOERROR" dig.out.insecure > /dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.insecure > /dev/null && ret=1
$DIG $DIGOPTS bad. @10.53.0.4 ds >dig.out.ds || ret=1
grep "NOERROR" dig.out.ds >/dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ds >/dev/null || ret=1
$DIG $DIGOPTS a.bad. @10.53.0.4 a >dig.out.insecure || ret=1
grep "NOERROR" dig.out.insecure >/dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.insecure >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "exit status: $status"

6
bin/tests/system/dyndb/prereq.sh
View File

@ -13,9 +13,9 @@
. ../conf.sh
$FEATURETEST --tsan && {
echo_i "TSAN - skipping dyndb test"
exit 255
$FEATURETEST --tsan && {
echo_i "TSAN - skipping dyndb test"
exit 255
}
exit 0

136
bin/tests/system/dyndb/tests.sh
View File

@ -22,99 +22,97 @@ DIGOPTS="@10.53.0.1 -p ${PORT}"
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
newtest() {
n=$((n + 1))
echo_i "${1} (${n})"
ret=0
n=$((n + 1))
echo_i "${1} (${n})"
ret=0
}
test_add() {
host="$1"
type="$2"
ip="$3"
host="$1"
type="$2"
ip="$3"
cat <<EOF > ns1/update.txt
cat <<EOF >ns1/update.txt
server 10.53.0.1 ${PORT}
ttl 86400
update add $host $type $ip
send
EOF
newtest "adding $host $type $ip"
$NSUPDATE ns1/update.txt > /dev/null 2>&1 || {
[ "$should_fail" ] || \
echo_i "update failed for $host $type $ip"
return 1
}
newtest "adding $host $type $ip"
$NSUPDATE ns1/update.txt >/dev/null 2>&1 || {
[ "$should_fail" ] \
|| echo_i "update failed for $host $type $ip"
return 1
}
out=$($DIG $DIGOPTS +noall +answer -t $type -q $host)
echo $out > added.a.out.$n
lines=$(echo "$out" | grep "$ip" | wc -l)
[ $lines -eq 1 ] || {
[ "$should_fail" ] || \
echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
out=$($DIG $DIGOPTS +noall +answer -t $type -q $host)
echo $out >added.a.out.$n
lines=$(echo "$out" | grep "$ip" | wc -l)
[ $lines -eq 1 ] || {
[ "$should_fail" ] \
|| echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10
do
out=$($DIG $DIGOPTS +noall +answer -x $ip)
echo $out > added.ptr.out.$n
lines=$(echo "$out" | grep "$host" | wc -l)
[ $lines -eq 1 ] && break;
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 1 ] || {
[ "$should_fail" ] || \
echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10; do
out=$($DIG $DIGOPTS +noall +answer -x $ip)
echo $out >added.ptr.out.$n
lines=$(echo "$out" | grep "$host" | wc -l)
[ $lines -eq 1 ] && break
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 1 ] || {
[ "$should_fail" ] \
|| echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
return 0
return 0
}
test_del() {
host="$1"
type="$2"
host="$1"
type="$2"
ip=$($DIG $DIGOPTS +short $host $type)
ip=$($DIG $DIGOPTS +short $host $type)
cat <<EOF > ns1/update.txt
cat <<EOF >ns1/update.txt
server 10.53.0.1 ${PORT}
update del $host $type
send
EOF
newtest "deleting $host $type (was $ip)"
$NSUPDATE ns1/update.txt > /dev/null 2>&1 || {
[ "$should_fail" ] || \
echo_i "update failed deleting $host $type"
return 1
}
newtest "deleting $host $type (was $ip)"
$NSUPDATE ns1/update.txt >/dev/null 2>&1 || {
[ "$should_fail" ] \
|| echo_i "update failed deleting $host $type"
return 1
}
out=$($DIG $DIGOPTS +noall +answer -t $type -q $host)
echo $out > deleted.a.out.$n
lines=$(echo "$out" | grep "$ip" | wc -l)
[ $lines -eq 0 ] || {
[ "$should_fail" ] || \
echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
out=$($DIG $DIGOPTS +noall +answer -t $type -q $host)
echo $out >deleted.a.out.$n
lines=$(echo "$out" | grep "$ip" | wc -l)
[ $lines -eq 0 ] || {
[ "$should_fail" ] \
|| echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10
do
out=$($DIG $DIGOPTS +noall +answer -x $ip)
echo $out > deleted.ptr.out.$n
lines=$(echo "$out" | grep "$host" | wc -l)
[ $lines -eq 0 ] && break
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 0 ] || {
[ "$should_fail" ] || \
echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10; do
out=$($DIG $DIGOPTS +noall +answer -x $ip)
echo $out >deleted.ptr.out.$n
lines=$(echo "$out" | grep "$host" | wc -l)
[ $lines -eq 0 ] && break
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 0 ] || {
[ "$should_fail" ] \
|| echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
return 0
return 0
}
test_add test1.ipv4.example.nil. A "10.53.0.10" || ret=1
@ -142,8 +140,8 @@ test_del test4.ipv6.example.nil. AAAA || ret=1
status=$((status + ret))
newtest "checking parameter logging"
grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run > /dev/null || ret=1
grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run > /dev/null || ret=1
grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run >/dev/null || ret=1
grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run >/dev/null || ret=1
[ $ret -eq 1 ] && echo_i "failed"
status=$((status + ret))

34
bin/tests/system/ecdsa/ns1/sign.sh
View File

@ -24,34 +24,34 @@ echo_i "ns1/sign.sh"
cp $infile $zonefile
if [ -f ../ecdsa256-supported.file ]; then
zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
cat "$ksk256.key" "$zsk256.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256
zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
cat "$ksk256.key" "$zsk256.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk256.key" >>dsset-256
fi
if [ -f ../ecdsa384-supported.file ]; then
zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
cat "$ksk384.key" "$zsk384.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256
zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
cat "$ksk384.key" "$zsk384.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk384.key" >>dsset-256
fi
# Configure the resolving server with a static key.
if [ -f ../ecdsa256-supported.file ]; then
keyfile_to_static_ds $ksk256 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk256 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
keyfile_to_static_ds $ksk384 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk384 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
fi
if [ -f ../ecdsa384-supported.file ]; then
keyfile_to_static_ds $ksk384 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk384 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
else
keyfile_to_static_ds $ksk256 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk256 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
fi
$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

8
bin/tests/system/ecdsa/setup.sh
View File

@ -16,17 +16,17 @@ set -e
. ../conf.sh
if $SHELL ../testcrypto.sh ecdsap256sha256; then
echo "yes" > ecdsa256-supported.file
echo "yes" >ecdsa256-supported.file
fi
if $SHELL ../testcrypto.sh ecdsap384sha384; then
echo "yes" > ecdsa384-supported.file
echo "yes" >ecdsa384-supported.file
fi
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
(
cd ns1
$SHELL sign.sh
cd ns1
$SHELL sign.sh
)

42
bin/tests/system/ecdsa/tests.sh
View File

@ -19,35 +19,35 @@ status=0
n=0
dig_with_opts() {
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
if [ -f ecdsa256-supported.file ]; then
n=$((n+1))
echo_i "checking that ECDSA256 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking that ECDSA256 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm ECDSA256 not supported, skipping test"
echo_i "algorithm ECDSA256 not supported, skipping test"
fi
if [ -f ecdsa384-supported.file ]; then
n=$((n+1))
echo_i "checking that ECDSA384 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking that ECDSA384 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm ECDSA384 not supported, skipping test"
echo_i "algorithm ECDSA384 not supported, skipping test"
fi
echo_i "exit status: $status"

34
bin/tests/system/eddsa/ns1/sign.sh
View File

@ -24,34 +24,34 @@ echo_i "ns1/sign.sh"
cp $infile $zonefile
if [ -f ../ed25519-supported.file ]; then
zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256
zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
cat "$ksk25519.key" "$zsk25519.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk25519.key" >>dsset-256
fi
if [ -f ../ed448-supported.file ]; then
zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
cat "$ksk448.key" "$zsk448.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256
zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
cat "$ksk448.key" "$zsk448.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk448.key" >>dsset-256
fi
# Configure the resolving server with a static key.
if [ -f ../ed25519-supported.file ]; then
keyfile_to_static_ds $ksk25519 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk25519 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
keyfile_to_static_ds $ksk448 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk448 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
fi
if [ -f ../ed448-supported.file ]; then
keyfile_to_static_ds $ksk448 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk448 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
else
keyfile_to_static_ds $ksk25519 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk25519 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
fi
$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

13
bin/tests/system/eddsa/ns2/sign.sh
View File

@ -27,12 +27,11 @@ cp $infile $zonefile
if [ -f ../ed25519-supported.file ]; then
for i in Xexample.com.+015+03613 Xexample.com.+015+35217
do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile"
done
for i in Xexample.com.+015+03613 Xexample.com.+015+35217; do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile"
done
fi
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

13
bin/tests/system/eddsa/ns3/sign.sh
View File

@ -26,12 +26,11 @@ echo_i "ns3/sign.sh"
cp $infile $zonefile
if [ -f ../ed448-supported.file ]; then
for i in Xexample.com.+016+09713 Xexample.com.+016+38353
do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile"
done
for i in Xexample.com.+016+09713 Xexample.com.+016+38353; do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile"
done
fi
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

4
bin/tests/system/eddsa/prereq.sh
View File

@ -17,10 +17,10 @@ set -e
supported=0
if $SHELL ../testcrypto.sh ed25519; then
supported=1
supported=1
fi
if $SHELL ../testcrypto.sh ed448; then
supported=1
supported=1
fi
[ "$supported" -eq 1 ] || exit 1

16
bin/tests/system/eddsa/setup.sh
View File

@ -16,11 +16,11 @@ set -e
. ../conf.sh
if $SHELL ../testcrypto.sh ed25519; then
echo "yes" > ed25519-supported.file
echo "yes" >ed25519-supported.file
fi
if $SHELL ../testcrypto.sh ed448; then
echo "yes" > ed448-supported.file
echo "yes" >ed448-supported.file
fi
copy_setports ns1/named.conf.in ns1/named.conf
@ -28,14 +28,14 @@ copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
(
cd ns1
$SHELL sign.sh
cd ns1
$SHELL sign.sh
)
(
cd ns2
$SHELL sign.sh
cd ns2
$SHELL sign.sh
)
(
cd ns3
$SHELL sign.sh
cd ns3
$SHELL sign.sh
)

100
bin/tests/system/eddsa/tests.sh
View File

@ -19,68 +19,68 @@ status=0
n=0
dig_with_opts() {
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
if [ -f ed25519-supported.file ]; then
# Check the example. domain
n=$((n+1))
echo_i "checking that Ed25519 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check the example. domain
n=$((n + 1))
echo_i "checking that Ed25519 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# Check test vectors (RFC 8080 + errata)
n=$((n+1))
echo_i "checking that Ed25519 test vectors match ($n)"
ret=0
grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1
grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1
grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1
grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check test vectors (RFC 8080 + errata)
n=$((n + 1))
echo_i "checking that Ed25519 test vectors match ($n)"
ret=0
grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed >/dev/null || ret=1
grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed >/dev/null || ret=1
grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed >/dev/null || ret=1
grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm Ed25519 not supported, skipping vectors match test"
echo_i "algorithm Ed25519 not supported, skipping vectors match test"
fi
n=$((n+1))
n=$((n + 1))
ret=0
if [ -f ed448-supported.file ]; then
# Check the example. domain
n=$((n+1))
echo_i "checking that Ed448 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check the example. domain
n=$((n + 1))
echo_i "checking that Ed448 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# Check test vectors (RFC 8080 + errata)
n=$((n+1))
echo_i "checking that Ed448 test vectors match ($n)"
ret=0
grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1
grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1
grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1
grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1
grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1
# Check test vectors (RFC 8080 + errata)
n=$((n + 1))
echo_i "checking that Ed448 test vectors match ($n)"
ret=0
grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed >/dev/null || ret=1
grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed >/dev/null || ret=1
grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed >/dev/null || ret=1
grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed >/dev/null || ret=1
grep 'WKsJlwEA' ns3/example.com.db.signed >/dev/null || ret=1
grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1
grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1
grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1
grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1
grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed >/dev/null || ret=1
grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed >/dev/null || ret=1
grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed >/dev/null || ret=1
grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed >/dev/null || ret=1
grep 'ZmQ0YQUA' ns3/example.com.db.signed >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm Ed448 not supported, skipping vectors match test"
echo_i "algorithm Ed448 not supported, skipping vectors match test"
fi
echo_i "exit status: $status"

143
bin/tests/system/ednscompliance/tests.sh
View File

@ -24,88 +24,163 @@ zone=.
n=$((n + 1))
echo_i "check +edns=100 sets version 100 ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone > dig.out$n || ret=1
grep "EDNS: version: 100," dig.out$n > /dev/null || { ret=1; reason="version"; }
$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone >dig.out$n || ret=1
grep "EDNS: version: 100," dig.out$n >/dev/null || {
ret=1
reason="version"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
ret=0 reason=
echo_i "check +ednsopt=100 adds option 100 ($n)"
$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone > dig.out$n || ret=1
grep "; OPT=100" dig.out$n > /dev/null || { ret=1; reason="option"; }
$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone >dig.out$n || ret=1
grep "; OPT=100" dig.out$n >/dev/null || {
ret=1
reason="option"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check +ednsflags=0x80 sets flags to 0x0080 ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone > dig.out$n || ret=1
grep "MBZ: 0x0080," dig.out$n > /dev/null || { ret=1; reason="flags"; }
$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone >dig.out$n || ret=1
grep "MBZ: 0x0080," dig.out$n >/dev/null || {
ret=1
reason="flags"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Unknown EDNS version ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone > dig.out$n || ret=1
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone >dig.out$n || ret=1
grep "status: BADVERS," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "IN.SOA." dig.out$n >/dev/null && {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Unknown EDNS option ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone > dig.out$n || ret=1
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; }
grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; }
$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone >dig.out$n || ret=1
grep "status: NOERROR," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "; OPT=100" dig.out$n >/dev/null && {
ret=1
reason="option"
}
grep "IN.SOA." dig.out$n >/dev/null || {
ret=1
reason="nosoa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Unknown EDNS version + option ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone > dig.out$n || ret=1
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone >dig.out$n || ret=1
grep "status: BADVERS," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "; OPT=100" dig.out$n >/dev/null && {
ret=1
reason="option"
}
grep "IN.SOA." dig.out$n >/dev/null && {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed: $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Unknown EDNS flag ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone > dig.out$n || ret=1
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; }
grep ".IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; }
$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone >dig.out$n || ret=1
grep "status: NOERROR," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && {
ret=1
reason="mbz"
}
grep ".IN.SOA." dig.out$n >/dev/null || {
ret=1
reason="nosoa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Unknown EDNS version + flag ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone > dig.out$n || ret=1
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone >dig.out$n || ret=1
grep "status: BADVERS," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && {
ret=1
reason="mbz"
}
grep "IN.SOA." dig.out$n >/dev/null && {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "DiG's EDNS negotiation ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone > dig.out$n || ret=1
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone >dig.out$n || ret=1
grep "status: NOERROR," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "IN.SOA." dig.out$n >/dev/null || {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))

8
bin/tests/system/emptyzones/tests.sh
View File

@ -27,18 +27,18 @@ ret=0
rndc_reload ns1 10.53.0.1
copy_setports ns1/named2.conf.in ns1/named.conf
$RNDCCMD 10.53.0.1 reload > /dev/null || ret=1
$RNDCCMD 10.53.0.1 reload >/dev/null || ret=1
sleep 5
$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 > /dev/null || ret=1
$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that allow-transfer { none; } works ($n)"
ret=0
$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all > dig.out.test$n || ret=1
grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all >dig.out.test$n || ret=1
grep "status: REFUSED" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))

16
bin/tests/system/enginepkcs11/prereq.sh
View File

@ -14,19 +14,19 @@
. ../conf.sh
[ -n "${SOFTHSM2_CONF}" ] || {
echo_i "skip: softhsm2 configuration not available"
exit 255
echo_i "skip: softhsm2 configuration not available"
exit 255
}
parse_openssl_config
[ -f "$SOFTHSM2_MODULE" ] || {
echo_i "skip: softhsm2 module not available"
exit 1
echo_i "skip: softhsm2 module not available"
exit 1
}
for _bin in softhsm2-util pkcs11-tool; do
command -v "$_bin" >/dev/null || {
echo_i "skip: $_bin not available"
exit 1
}
command -v "$_bin" >/dev/null || {
echo_i "skip: $_bin not available"
exit 1
}
done

139
bin/tests/system/enginepkcs11/setup.sh
View File

@ -18,104 +18,101 @@ set -e
OPENSSL_CONF= softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
printf '%s' "${HSMPIN:-1234}" > pin
printf '%s' "${HSMPIN:-1234}" >pin
parse_openssl_config
PWD=$(pwd)
copy_setports ns1/named.conf.in ns1/named.conf
sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" < ns1/named.args.in > ns1/named.args
sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" <ns1/named.args.in >ns1/named.args
keygen() {
type="$1"
bits="$2"
zone="$3"
id="$4"
type="$1"
bits="$2"
zone="$3"
id="$4"
label="${id}-${zone}"
p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}')
OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id 2> pkcs11-tool.err.$zone.$id || return 1
label="${id}-${zone}"
p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}')
OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1
}
keyfromlabel() {
alg="$1"
zone="$2"
id="$3"
dir="$4"
shift 4
alg="$1"
zone="$2"
id="$3"
dir="$4"
shift 4
$KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2> keyfromlabel.err.$zone.$id || return 1
cat keyfromlabel.out.$zone.$id
$KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
cat keyfromlabel.out.$zone.$id
}
# Setup ns1.
dir="ns1"
infile="${dir}/template.db.in"
for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1
# Edwards curves are not yet supported by OpenSC
# ed25519:EC:edwards25519 ed448:EC:edwards448
do
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC
# ed25519:EC:edwards25519 ed448:EC:edwards448
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
if $SHELL ../testcrypto.sh $alg; then
zone="$alg.example"
zonefile="zone.$alg.example.db"
ret=0
if $SHELL ../testcrypto.sh $alg; then
zone="$alg.example"
zonefile="zone.$alg.example.db"
ret=0
echo_i "Generate keys $alg $type:$bits for zone $zone"
keygen $type $bits $zone enginepkcs11-zsk || ret=1
keygen $type $bits $zone enginepkcs11-ksk || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Generate keys $alg $type:$bits for zone $zone"
keygen $type $bits $zone enginepkcs11-zsk || ret=1
keygen $type $bits $zone enginepkcs11-ksk || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Get ZSK $alg $zone $type:$bits"
zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir)
test -z "$zsk1" && exit 1
echo_i "Get ZSK $alg $zone $type:$bits"
zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir)
test -z "$zsk1" && exit 1
echo_i "Get KSK $alg $zone $type:$bits"
ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK)
test -z "$ksk1" && exit 1
echo_i "Get KSK $alg $zone $type:$bits"
ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK)
test -z "$ksk1" && exit 1
(
cd $dir
zskid1=$(keyfile_to_key_id $zsk1)
kskid1=$(keyfile_to_key_id $ksk1)
echo "$zskid1" > $zone.zskid1
echo "$kskid1" > $zone.kskid1
)
(
cd $dir
zskid1=$(keyfile_to_key_id $zsk1)
kskid1=$(keyfile_to_key_id $ksk1)
echo "$zskid1" >$zone.zskid1
echo "$kskid1" >$zone.kskid1
)
echo_i "Sign zone with $ksk1 $zsk1"
cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" > "${dir}/${zonefile}"
$SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" > signer.out.$zone || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Sign zone with $ksk1 $zsk1"
cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}"
$SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Generate successor keys $alg $type:$bits for zone $zone"
keygen $type $bits $zone enginepkcs11-zsk2 || ret=1
keygen $type $bits $zone enginepkcs11-ksk2 || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Generate successor keys $alg $type:$bits for zone $zone"
keygen $type $bits $zone enginepkcs11-zsk2 || ret=1
keygen $type $bits $zone enginepkcs11-ksk2 || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Get ZSK $alg $id-$zone $type:$bits"
zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir)
test -z "$zsk2" && exit 1
echo_i "Get ZSK $alg $id-$zone $type:$bits"
zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir)
test -z "$zsk2" && exit 1
echo_i "Get KSK $alg $id-$zone $type:$bits"
ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK)
test -z "$ksk2" && exit 1
echo_i "Get KSK $alg $id-$zone $type:$bits"
ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK)
test -z "$ksk2" && exit 1
(
cd $dir
zskid2=$(keyfile_to_key_id $zsk2)
kskid2=$(keyfile_to_key_id $ksk2)
echo "$zskid2" > $zone.zskid2
echo "$kskid2" > $zone.kskid2
cp "${zsk2}.key" "${zsk2}.zsk2"
cp "${ksk2}.key" "${ksk2}.ksk2"
)
(
cd $dir
zskid2=$(keyfile_to_key_id $zsk2)
kskid2=$(keyfile_to_key_id $ksk2)
echo "$zskid2" >$zone.zskid2
echo "$kskid2" >$zone.kskid2
cp "${zsk2}.key" "${zsk2}.zsk2"
cp "${ksk2}.key" "${ksk2}.ksk2"
)
echo_i "Add zone $zone to named.conf"
cat >> "${dir}/named.conf" <<EOF
echo_i "Add zone $zone to named.conf"
cat >>"${dir}/named.conf" <<EOF
zone "$zone" {
type primary;
file "${zonefile}.signed";
@ -123,5 +120,5 @@ zone "$zone" {
};
EOF
fi
fi
done

211
bin/tests/system/enginepkcs11/tests.sh
View File

@ -24,65 +24,62 @@ ret=0
n=0
dig_with_opts() (
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
)
# Perform tests inside ns1 dir
cd ns1
for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1
# Edwards curves are not yet supported by OpenSC
# ed25519:EC:edwards25519 ed448:EC:edwards448
do
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
zone="${alg}.example"
zonefile="zone.${zone}.db.signed"
ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC
# ed25519:EC:edwards25519 ed448:EC:edwards448
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
zone="${alg}.example"
zonefile="zone.${zone}.db.signed"
if [ ! -f $zonefile ]; then
echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}"
continue
fi
if [ ! -f $zonefile ]; then
echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}"
continue
fi
# Basic checks if setup was successful.
n=$((n+1))
ret=0
echo_i "Test key generation was successful for $zone ($n)"
count=$(ls K*.key | grep "K${zone}" | wc -l)
test "$count" -eq 4 || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
status=$((status+ret))
# Basic checks if setup was successful.
n=$((n + 1))
ret=0
echo_i "Test key generation was successful for $zone ($n)"
count=$(ls K*.key | grep "K${zone}" | wc -l)
test "$count" -eq 4 || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
status=$((status + ret))
n=$((n+1))
ret=0
echo_i "Test zone signing was successful for $zone ($n)"
$VERIFY -z -o $zone "${zonefile}" > verify.out.$zone.$n 2>&1 || ret=1
test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
status=$((status+ret))
n=$((n + 1))
ret=0
echo_i "Test zone signing was successful for $zone ($n)"
$VERIFY -z -o $zone "${zonefile}" >verify.out.$zone.$n 2>&1 || ret=1
test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
status=$((status + ret))
# Test inline signing with keys stored in engine.
zskid1=$(cat "${zone}.zskid1")
zskid2=$(cat "${zone}.zskid2")
# Test inline signing with keys stored in engine.
zskid1=$(cat "${zone}.zskid1")
zskid2=$(cat "${zone}.zskid2")
n=$((n+1))
ret=0
echo_i "Test inline signing for $zone ($n)"
dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || ret=1
awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 1 || return 1
grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)"
status=$((status+ret))
n=$((n + 1))
ret=0
echo_i "Test inline signing for $zone ($n)"
dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || ret=1
awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 1 || return 1
grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)"
status=$((status + ret))
n=$((n+1))
ret=0
echo_i "Dynamically update $zone, add new zsk ($n)"
zsk2=$(grep -v ';' K${zone}.*.zsk2)
cat > "update.cmd.zsk.$zone.$n" <<EOF
n=$((n + 1))
ret=0
echo_i "Dynamically update $zone, add new zsk ($n)"
zsk2=$(grep -v ';' K${zone}.*.zsk2)
cat >"update.cmd.zsk.$zone.$n" <<EOF
server 10.53.0.1 $PORT
ttl 300
zone $zone
@ -90,47 +87,47 @@ update add $zsk2
send
EOF
$NSUPDATE -v > "update.log.zsk.$zone.$n" < "update.cmd.zsk.$zone.$n" || ret=1
test "$ret" -eq 0 || echo_i "failed (update failed)"
status=$((status+ret))
$NSUPDATE -v >"update.log.zsk.$zone.$n" <"update.cmd.zsk.$zone.$n" || ret=1
test "$ret" -eq 0 || echo_i "failed (update failed)"
status=$((status + ret))
n=$((n+1))
ret=0
echo_i "Test DNSKEY response for $zone after inline signing ($n)"
_dig_dnskey() (
dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
test $count -eq 3
)
retry_quiet 10 _dig_dnskey || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)"
status=$((status+ret))
n=$((n + 1))
ret=0
echo_i "Test DNSKEY response for $zone after inline signing ($n)"
_dig_dnskey() (
dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
test $count -eq 3
)
retry_quiet 10 _dig_dnskey || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)"
status=$((status + ret))
n=$((n+1))
ret=0
echo_i "Test SOA response for $zone after inline signing ($n)"
_dig_soa() (
dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || return 1
awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 2 || return 1
grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
grep -w "$zskid2" dig.out.keyids.$zone.$n > /dev/null || return 1
return 0
)
retry_quiet 10 _dig_soa || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)"
status=$((status+ret))
n=$((n + 1))
ret=0
echo_i "Test SOA response for $zone after inline signing ($n)"
_dig_soa() (
dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1
awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 2 || return 1
grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
grep -w "$zskid2" dig.out.keyids.$zone.$n >/dev/null || return 1
return 0
)
retry_quiet 10 _dig_soa || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)"
status=$((status + ret))
# Test inline signing with keys stored in engine (key signing).
kskid1=$(cat "${zone}.kskid1")
kskid2=$(cat "${zone}.kskid2")
# Test inline signing with keys stored in engine (key signing).
kskid1=$(cat "${zone}.kskid1")
kskid2=$(cat "${zone}.kskid2")
n=$((n+1))
ret=0
echo_i "Dynamically update $zone, add new ksk ($n)"
ksk2=$(grep -v ';' K${zone}.*.ksk2)
cat > "update.cmd.ksk.$zone.$n" <<EOF
n=$((n + 1))
ret=0
echo_i "Dynamically update $zone, add new ksk ($n)"
ksk2=$(grep -v ';' K${zone}.*.ksk2)
cat >"update.cmd.ksk.$zone.$n" <<EOF
server 10.53.0.1 $PORT
ttl 300
zone $zone
@ -138,40 +135,40 @@ update add $ksk2
send
EOF
$NSUPDATE -v > "update.log.ksk.$zone.$n" < "update.cmd.ksk.$zone.$n" || ret=1
test "$ret" -eq 0 || echo_i "failed (update failed)"
status=$((status+ret))
$NSUPDATE -v >"update.log.ksk.$zone.$n" <"update.cmd.ksk.$zone.$n" || ret=1
test "$ret" -eq 0 || echo_i "failed (update failed)"
status=$((status + ret))
n=$((n+1))
ret=0
echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)"
_dig_dnskey_ksk() (
dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
test $count -eq 4 || return 1
awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n > dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 2 || return 1
grep -w "$kskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
grep -w "$kskid2" dig.out.keyids.$zone.$n > /dev/null || return 1
return 0
)
retry_quiet 10 _dig_dnskey_ksk || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
status=$((status+ret))
n=$((n + 1))
ret=0
echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)"
_dig_dnskey_ksk() (
dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
test $count -eq 4 || return 1
awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n >dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 2 || return 1
grep -w "$kskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
grep -w "$kskid2" dig.out.keyids.$zone.$n >/dev/null || return 1
return 0
)
retry_quiet 10 _dig_dnskey_ksk || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
status=$((status + ret))
done
# Go back to main test dir.
cd ..
n=$((n+1))
n=$((n + 1))
ret=0
echo_i "Checking for assertion failure in pk11_numbits()"
$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
dig_with_opts @10.53.0.1 version.bind. CH TXT >dig.out.pk11_numbits || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

7
bin/tests/system/fetchlimit/prereq.sh
View File

@ -13,10 +13,9 @@
. ../conf.sh
if ! ${PERL} -MNet::DNS -e ''
then
echo_i "perl Net::DNS module is required"
exit 1
if ! ${PERL} -MNet::DNS -e ''; then
echo_i "perl Net::DNS module is required"
exit 1
fi
exit 0

191
bin/tests/system/fetchlimit/tests.sh
View File

@ -18,44 +18,44 @@ set -e
DIGCMD="$DIG @10.53.0.3 -p ${PORT} +tcp +tries=1 +time=1"
rndccmd() (
"$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@"
"$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@"
)
burst() {
server=${1}
num=${4:-20}
rm -f burst.input.$$
while [ $num -gt 0 ]; do
num=$((num-1))
if [ "${5}" = "dup" ]; then
# burst with duplicate queries
echo "${2}${3}.lamesub.example A" >> burst.input.$$
else
# burst with unique queries
echo "${num}${2}${3}.lamesub.example A" >> burst.input.$$
fi
done
$PERL ../ditch.pl -p ${PORT} -s ${server} burst.input.$$
rm -f burst.input.$$
server=${1}
num=${4:-20}
rm -f burst.input.$$
while [ $num -gt 0 ]; do
num=$((num - 1))
if [ "${5}" = "dup" ]; then
# burst with duplicate queries
echo "${2}${3}.lamesub.example A" >>burst.input.$$
else
# burst with unique queries
echo "${num}${2}${3}.lamesub.example A" >>burst.input.$$
fi
done
$PERL ../ditch.pl -p ${PORT} -s ${server} burst.input.$$
rm -f burst.input.$$
}
stat() {
clients=$(rndccmd ${1} status | grep "recursive clients" |
sed 's;.*: \([^/][^/]*\)/.*;\1;')
echo_i "clients: $clients"
[ "$clients" = "" ] && return 1
[ "$clients" -ge $2 ] || return 1
[ "$clients" -le $3 ] || return 1
return 0
clients=$(rndccmd ${1} status | grep "recursive clients" \
| sed 's;.*: \([^/][^/]*\)/.*;\1;')
echo_i "clients: $clients"
[ "$clients" = "" ] && return 1
[ "$clients" -ge $2 ] || return 1
[ "$clients" -le $3 ] || return 1
return 0
}
_wait_for_message() (
nextpartpeek "$1" > wait_for_message.$n
grep -F "$2" wait_for_message.$n >/dev/null
nextpartpeek "$1" >wait_for_message.$n
grep -F "$2" wait_for_message.$n >/dev/null
)
wait_for_message() (
retry_quiet 20 _wait_for_message "$@"
retry_quiet 20 _wait_for_message "$@"
)
n=0
@ -68,17 +68,17 @@ ret=0
rndccmd 10.53.0.3 flush
touch ans4/norespond
for try in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
burst 10.53.0.3 a $try
# fetches-per-server is at 400, but at 20qps against a lame server,
# we'll reach 200 at the tenth second, and the quota should have been
# tuned to less than that by then.
[ $try -le 5 ] && low=$((try*10))
stat 10.53.0.3 20 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
burst 10.53.0.3 a $try
# fetches-per-server is at 400, but at 20qps against a lame server,
# we'll reach 200 at the tenth second, and the quota should have been
# tuned to less than that by then.
[ $try -le 5 ] && low=$((try * 10))
stat 10.53.0.3 20 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "dumping ADB data ($n)"
@ -89,7 +89,7 @@ set -- $info
quota=$2
[ ${quota:-200} -lt 200 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking servfail statistics ($n)"
@ -97,8 +97,8 @@ ret=0
rm -f ns3/named.stats
rndccmd 10.53.0.3 stats
for try in 1 2 3 4 5; do
[ -f ns3/named.stats ] && break
sleep 1
[ -f ns3/named.stats ] && break
sleep 1
done
sspill=$(grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/')
[ -z "$sspill" ] && sspill=0
@ -106,20 +106,20 @@ fails=$(grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9
[ -z "$fails" ] && fails=0
[ "$fails" -ge "$sspill" ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking lame server recovery ($n)"
ret=0
test -f ans4/norespond && rm -f ans4/norespond
for try in 1 2 3 4 5; do
burst 10.53.0.3 b $try
stat 10.53.0.3 0 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
burst 10.53.0.3 b $try
stat 10.53.0.3 0 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "dumping ADB data ($n)"
@ -130,19 +130,19 @@ set -- $info
[ ${2:-${quota}} -lt $quota ] || ret=1
quota=$2
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking lame server recovery (continued) ($n)"
ret=0
for try in 1 2 3 4 5 6 7 8 9 10; do
burst 10.53.0.3 c $try
stat 10.53.0.3 0 20 || ret=1
[ $ret -eq 1 ] && break
sleep 1
burst 10.53.0.3 c $try
stat 10.53.0.3 0 20 || ret=1
[ $ret -eq 1 ] && break
sleep 1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "dumping ADB data ($n)"
@ -153,7 +153,7 @@ set -- $info
[ ${2:-${quota}} -gt $quota ] || ret=1
quota=$2
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
copy_setports ns3/named2.conf.in ns3/named.conf
rndc_reconfig ns3 10.53.0.3
@ -165,21 +165,21 @@ fail=0
success=0
touch ans4/norespond
for try in 1 2 3 4 5; do
burst 10.53.0.3 b $try 300
$DIGCMD a ${try}.example > dig.out.ns3.$n.$try
grep "status: NOERROR" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
success=$((success+1))
grep "status: SERVFAIL" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
fail=$(($fail+1))
stat 10.53.0.3 40 40 || ret=1
allowed=$(rndccmd 10.53.0.3 fetchlimit | awk '/lamesub/ { print $6 }')
[ "${allowed:-0}" -eq 40 ] || ret=1
[ $ret -eq 1 ] && break
sleep 1
burst 10.53.0.3 b $try 300
$DIGCMD a ${try}.example >dig.out.ns3.$n.$try
grep "status: NOERROR" dig.out.ns3.$n.$try >/dev/null 2>&1 \
&& success=$((success + 1))
grep "status: SERVFAIL" dig.out.ns3.$n.$try >/dev/null 2>&1 \
&& fail=$(($fail + 1))
stat 10.53.0.3 40 40 || ret=1
allowed=$(rndccmd 10.53.0.3 fetchlimit | awk '/lamesub/ { print $6 }')
[ "${allowed:-0}" -eq 40 ] || ret=1
[ $ret -eq 1 ] && break
sleep 1
done
echo_i "$success successful valid queries, $fail SERVFAIL"
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking drop statistics ($n)"
@ -187,8 +187,8 @@ ret=0
rm -f ns3/named.stats
rndccmd 10.53.0.3 stats
for try in 1 2 3 4 5; do
[ -f ns3/named.stats ] && break
sleep 1
[ -f ns3/named.stats ] && break
sleep 1
done
zspill=$(grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/')
[ -z "$zspill" ] && zspill=0
@ -196,7 +196,7 @@ drops=$(grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.
[ -z "$drops" ] && drops=0
[ "$drops" -ge "$zspill" ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
copy_setports ns3/named3.conf.in ns3/named.conf
rndc_reconfig ns3 10.53.0.3
@ -209,23 +209,32 @@ exceeded=0
success=0
touch ans4/norespond
for try in 1 2 3 4 5; do
burst 10.53.0.3 b $try 400
$DIGCMD +time=2 a ${try}.example > dig.out.ns3.$n.$try
stat 10.53.0.3 1 400 || exceeded=$((exceeded + 1))
grep "status: NOERROR" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
success=$((success+1))
grep "status: SERVFAIL" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
fail=$(($fail+1))
sleep 1
burst 10.53.0.3 b $try 400
$DIGCMD +time=2 a ${try}.example >dig.out.ns3.$n.$try
stat 10.53.0.3 1 400 || exceeded=$((exceeded + 1))
grep "status: NOERROR" dig.out.ns3.$n.$try >/dev/null 2>&1 \
&& success=$((success + 1))
grep "status: SERVFAIL" dig.out.ns3.$n.$try >/dev/null 2>&1 \
&& fail=$(($fail + 1))
sleep 1
done
echo_i "$success successful valid queries (expected 5)"
[ "$success" -eq 5 ] || { echo_i "failed"; ret=1; }
[ "$success" -eq 5 ] || {
echo_i "failed"
ret=1
}
echo_i "$fail SERVFAIL responses (expected 0)"
[ "$fail" -eq 0 ] || { echo_i "failed"; ret=1; }
[ "$fail" -eq 0 ] || {
echo_i "failed"
ret=1
}
echo_i "clients count exceeded 400 on $exceeded trials (expected 0)"
[ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; }
[ "$exceeded" -eq 0 ] || {
echo_i "failed"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking drop statistics ($n)"
@ -237,7 +246,7 @@ wait_for_log 5 "queries dropped due to recursive client limit" ns3/named.stats |
drops=$(grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/')
[ "${drops:-0}" -ne 0 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
nextpart ns5/named.run >/dev/null
@ -246,12 +255,12 @@ echo_i "checking clients are dropped at the clients-per-query limit ($n)"
ret=0
test -f ans4/norespond && rm -f ans4/norespond
for try in 1 2 3 4 5; do
burst 10.53.0.5 latency $try 20 "dup"
sleep 1
burst 10.53.0.5 latency $try 20 "dup"
sleep 1
done
wait_for_message ns5/named.run "clients-per-query increased to 10" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking drop statistics ($n)"
@ -259,8 +268,8 @@ ret=0
rm -f ns5/named.stats
rndccmd 10.53.0.5 stats
for try in 1 2 3 4 5; do
[ -f ns5/named.stats ] && break
sleep 1
[ -f ns5/named.stats ] && break
sleep 1
done
zspill=$(grep 'spilled due to clients per query' ns5/named.stats | sed 's/ *\([0-9][0-9]*\) spilled.*/\1/')
[ -z "$zspill" ] && zspill=0
@ -274,7 +283,7 @@ expected=55
[ "$zspill" -eq "$expected" ] || ret=1
echo_i "$zspill clients spilled (expected $expected)"
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "stop ns5"
stop_server --use-rndc --port ${CONTROLPORT} ns5
@ -289,12 +298,12 @@ echo_i "checking clients are dropped at the clients-per-query limit with stale-a
ret=0
test -f ans4/norespond && rm -f ans4/norespond
for try in 1 2 3 4 5; do
burst 10.53.0.5 latency $try 20 "dup"
sleep 1
burst 10.53.0.5 latency $try 20 "dup"
sleep 1
done
wait_for_message ns5/named.run "clients-per-query increased to 10" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking drop statistics ($n)"
@ -302,8 +311,8 @@ ret=0
rm -f ns5/named.stats
rndccmd 10.53.0.5 stats
for try in 1 2 3 4 5; do
[ -f ns5/named.stats ] && break
sleep 1
[ -f ns5/named.stats ] && break
sleep 1
done
zspill=$(grep 'spilled due to clients per query' ns5/named.stats | sed 's/ *\([0-9][0-9]*\) spilled.*/\1/')
[ -z "$zspill" ] && zspill=0
@ -317,7 +326,7 @@ expected=55
[ "$zspill" -eq "$expected" ] || ret=1
echo_i "$zspill clients spilled (expected $expected)"
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

8
bin/tests/system/filter-aaaa/ns1/sign.sh
View File

@ -20,15 +20,15 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >keygen.out | cat_i
keyname=$(cat keygen.out)
rm -f keygen.out
keyfile_to_static_ds $keyname > trusted.conf
keyfile_to_static_ds $keyname >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns5/trusted.conf
$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err
$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err
echo_i "signed zone '$zone'"

6
bin/tests/system/filter-aaaa/ns4/sign.sh
View File

@ -20,8 +20,8 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i
$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err
$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err
echo_i "signed zone '$zone'"

1011
bin/tests/system/filter-aaaa/tests.sh
View File

File diff suppressed because it is too large Load Diff

24
bin/tests/system/formerr/tests.sh
View File

@ -18,29 +18,29 @@ set -e
status=0
echo_i "test name too long"
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong > nametoolong.out
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong >nametoolong.out
ans=$(grep got: nametoolong.out)
if [ "${ans}" != "got: 000080010000000000000000" ];
then
echo_i "failed"; status=$((status + 1));
if [ "${ans}" != "got: 000080010000000000000000" ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "two questions"
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions > twoquestions.out
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions >twoquestions.out
ans=$(grep got: twoquestions.out)
if [ "${ans}" != "got: 000080010000000000000000" ];
then
echo_i "failed"; status=$((status + 1));
if [ "${ans}" != "got: 000080010000000000000000" ]; then
echo_i "failed"
status=$((status + 1))
fi
# this would be NOERROR if it included a COOKIE option,
# but is a FORMERR without one.
echo_i "empty question section (and no COOKIE option)"
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions > noquestions.out
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions >noquestions.out
ans=$(grep got: noquestions.out)
if [ "${ans}" != "got: 000080010000000000000000" ];
then
echo_i "failed"; status=$((status + 1));
if [ "${ans}" != "got: 000080010000000000000000" ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "exit status: $status"

6
bin/tests/system/forward/ns1/sign.sh
View File

@ -25,10 +25,10 @@ echo_i "ns1/sign.sh"
ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1
# Configure the resolving server with a static key.
keyfile_to_static_ds "$ksk" > trusted.conf
keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns3/trusted.conf

14
bin/tests/system/forward/prereq.sh
View File

@ -13,16 +13,14 @@
. ../conf.sh
if ! ${PYTHON} -c 'import dns'
then
echo_i "python dns module is required"
exit 1
if ! ${PYTHON} -c 'import dns'; then
echo_i "python dns module is required"
exit 1
fi
if ! ${PERL} -MNet::DNS -e ''
then
echo_i "perl Net::DNS module is required"
exit 1
if ! ${PERL} -MNet::DNS -e ''; then
echo_i "perl Net::DNS module is required"
exit 1
fi
exit 0

34
bin/tests/system/forward/setup.sh
View File

@ -16,28 +16,26 @@
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
if $FEATURETEST --have-fips-dh
then
copy_setports ns2/named-tls.conf.in ns2/named-tls.conf
copy_setports ns2/options-tls.conf.in ns2/options-tls.conf
copy_setports ns2/named.conf.in ns2/named.conf
if $FEATURETEST --have-fips-dh; then
copy_setports ns2/named-tls.conf.in ns2/named-tls.conf
copy_setports ns2/options-tls.conf.in ns2/options-tls.conf
copy_setports ns2/named.conf.in ns2/named.conf
else
cp /dev/null ns2/named-tls.conf
cp /dev/null ns2/options-tls.conf
copy_setports ns2/named.conf.in ns2/named.conf
cp /dev/null ns2/named-tls.conf
cp /dev/null ns2/options-tls.conf
copy_setports ns2/named.conf.in ns2/named.conf
fi
copy_setports ns3/named1.conf.in ns3/named.conf
if $FEATURETEST --have-fips-dh
then
copy_setports ns4/named-tls.conf.in ns4/named-tls.conf
copy_setports ns4/options-tls.conf.in ns4/options-tls.conf
copy_setports ns4/named.conf.in ns4/named.conf
if $FEATURETEST --have-fips-dh; then
copy_setports ns4/named-tls.conf.in ns4/named-tls.conf
copy_setports ns4/options-tls.conf.in ns4/options-tls.conf
copy_setports ns4/named.conf.in ns4/named.conf
else
cp /dev/null ns4/named-tls.conf
cp /dev/null ns4/options-tls.conf
copy_setports ns4/named.conf.in ns4/named.conf
cp /dev/null ns4/named-tls.conf
cp /dev/null ns4/options-tls.conf
copy_setports ns4/named.conf.in ns4/named.conf
fi
copy_setports ns5/named.conf.in ns5/named.conf
@ -47,6 +45,6 @@ copy_setports ns9/named1.conf.in ns9/named.conf
copy_setports ns10/named.conf.in ns10/named.conf
(
cd ns1
$SHELL sign.sh
cd ns1
$SHELL sign.sh
)

427
bin/tests/system/forward/tests.sh
View File

@ -17,15 +17,15 @@ set -e
. ../conf.sh
dig_with_opts() (
"$DIG" -p "$PORT" "$@"
"$DIG" -p "$PORT" "$@"
)
sendcmd() (
send "$1" "$EXTRAPORT1"
send "$1" "$EXTRAPORT1"
)
rndccmd() {
"$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@"
"$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@"
}
root=10.53.0.1
@ -36,224 +36,217 @@ f2=10.53.0.4
status=0
n=0
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward zone overrides global forwarders ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward first zone no forwarders recurses ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.root dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward only zone no forwarders fails ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.root dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that global forwarders work ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that DoT expired certificate does not work ($n)"
if $FEATURETEST --have-fips-dh
then
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$f2 > dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
if $FEATURETEST --have-fips-dh; then
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example4. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "skipped."
echo_i "skipped."
fi
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward zone works (DoT insecure) ($n)"
if $FEATURETEST --have-fips-dh
then
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
if $FEATURETEST --have-fips-dh; then
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "skipped."
echo_i "skipped."
fi
n=$((n+1))
n=$((n + 1))
echo_i "checking that forwarding doesn't spontaneously happen ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f2 > dig.out.$n.f2 || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.root dig.out.$n.f2 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward zone with no specified policy works (DoT forward-secrecy) ($n)"
if $FEATURETEST --have-fips-dh
then
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
if $FEATURETEST --have-fips-dh; then
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example3. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example3. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "skipped."
echo_i "skipped."
fi
n=$((n+1))
n=$((n + 1))
echo_i "checking that DoT remote-hostname works ($n)"
if $FEATURETEST --have-fips-dh
then
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example8. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example8. txt @$f2 > dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1
wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
if $FEATURETEST --have-fips-dh; then
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example8. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example8. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1
wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "skipped."
echo_i "skipped."
fi
n=$((n+1))
n=$((n + 1))
echo_i "checking that DoT bad remote-hostname does not work ($n)"
if $FEATURETEST --have-fips-dh
then
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example9. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example9. txt @$f2 > dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
if $FEATURETEST --have-fips-dh; then
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example9. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example9. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "skipped."
echo_i "skipped."
fi
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward only doesn't recurse ($n)"
ret=0
dig_with_opts txt.example5. txt @$f2 > dig.out.$n.f2 || ret=1
grep "SERVFAIL" dig.out.$n.f2 > /dev/null || ret=1
dig_with_opts txt.example5. txt @$f2 >dig.out.$n.f2 || ret=1
grep "SERVFAIL" dig.out.$n.f2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking for negative caching of forwarder response ($n)"
# prime the cache, shutdown the forwarder then check that we can
# get the answer from the cache. restart forwarder.
ret=0
dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1
dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1
stop_server ns4 || ret=1
dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1
dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1
start_server --restart --noclean --port "${PORT}" ns4 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
check_override() (
dig_with_opts 1.0.10.in-addr.arpa TXT @$f2 > dig.out.$n.f2 &&
grep "status: NOERROR" dig.out.$n.f2 > /dev/null &&
dig_with_opts 2.0.10.in-addr.arpa TXT @$f2 > dig.out.$n.f2 &&
grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null
dig_with_opts 1.0.10.in-addr.arpa TXT @$f2 >dig.out.$n.f2 \
&& grep "status: NOERROR" dig.out.$n.f2 >/dev/null \
&& dig_with_opts 2.0.10.in-addr.arpa TXT @$f2 >dig.out.$n.f2 \
&& grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null
)
n=$((n+1))
n=$((n + 1))
echo_i "checking that forward only zone overrides empty zone (DoT forward-secrecy-mutual-tls) ($n)"
if $FEATURETEST --have-fips-dh
then
ret=0
# retry loop in case the server restart above causes transient failure
retry_quiet 10 check_override || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
if $FEATURETEST --have-fips-dh; then
ret=0
# retry loop in case the server restart above causes transient failure
retry_quiet 10 check_override || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "skipped."
echo_i "skipped."
fi
n=$((n+1))
n=$((n + 1))
echo_i "checking that DS lookups for grafting forward zones are isolated ($n)"
ret=0
dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q1 || ret=1
dig_with_opts grafted DS @10.53.0.4 > dig.out.$n.q2 || ret=1
dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q3 || ret=1
dig_with_opts grafted AAAA @10.53.0.4 > dig.out.$n.q4 || ret=1
grep "status: NOERROR" dig.out.$n.q1 > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.q2 > /dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q3 > /dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q4 > /dev/null || ret=1
dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q1 || ret=1
dig_with_opts grafted DS @10.53.0.4 >dig.out.$n.q2 || ret=1
dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q3 || ret=1
dig_with_opts grafted AAAA @10.53.0.4 >dig.out.$n.q4 || ret=1
grep "status: NOERROR" dig.out.$n.q1 >/dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.q2 >/dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q3 >/dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q4 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that rfc1918 inherited 'forward first;' zones are warned about ($n)"
ret=0
$CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1
$CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that ULA inherited 'forward first;' zones are warned about ($n)"
ret=0
$CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1
$CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
count_sent() (
logfile="$1"
start_pattern="$2"
pattern="$3"
nextpartpeek "$logfile" | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern"
logfile="$1"
start_pattern="$2"
pattern="$3"
nextpartpeek "$logfile" | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern"
)
check_sent() (
expected="$1"
shift
count=$(count_sent "$@")
[ "$expected" = "$count" ]
expected="$1"
shift
count=$(count_sent "$@")
[ "$expected" = "$count" ]
)
wait_for_log() (
nextpartpeek "$1" | grep "$2" >/dev/null
nextpartpeek "$1" | grep "$2" >/dev/null
)
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forwarder timeout prevents it from being reused in the same fetch context ($n)"
ret=0
# Make ans6 receive queries without responding to them.
@ -263,19 +256,19 @@ echo "//" | sendcmd 10.53.0.6
# when a delegation is encountered after falling back to full recursive
# resolution.
nextpart ns3/named.run >/dev/null
dig_with_opts txt.example7. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts txt.example7. txt @$f1 >dig.out.$n.f1 || ret=1
# The forwarder for the "example7" zone should only be queried once.
start_pattern="sending packet to 10\.53\.0\.6"
retry_quiet 5 wait_for_log ns3/named.run "$start_pattern"
check_sent 1 ns3/named.run "$start_pattern" ";txt\.example7\.[[:space:]]*IN[[:space:]]*TXT$" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that priming queries are not forwarded ($n)"
ret=0
nextpart ns7/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.$n.f7 || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 >dig.out.$n.f7 || ret=1
received_pattern="received packet from 10\.53\.0\.1"
start_pattern="sending packet to 10\.53\.0\.1"
retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1
@ -285,30 +278,30 @@ sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run || tr
sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run || true)
[ "$sent" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking recovery from forwarding to a non-recursive server ($n)"
ret=0
dig_with_opts xxx.sld.tld txt @10.53.0.8 > dig.out.$n.f8 || ret=1
grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
dig_with_opts xxx.sld.tld txt @10.53.0.8 >dig.out.$n.f8 || ret=1
grep "status: NOERROR" dig.out.$n.f8 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that rebinding protection works in forward only mode ($n)"
ret=0
# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
# which in turn will return a CNAME for subdomain.rebind.
# to honor the option deny-answer-aliases { "rebind"; };
# ns5 should return a SERVFAIL to avoid potential rebinding attacks
dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. >dig.out.$n || ret=1
grep "status: SERVFAIL" dig.out.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
# Prepare ans6 for the chasing DS tests.
sendcmd 10.53.0.6 << EOF
sendcmd 10.53.0.6 <<EOF
/ns1.sld.tld/A/
300 A 10.53.0.2
/sld.tld/NS/
@ -316,88 +309,88 @@ sendcmd 10.53.0.6 << EOF
/sld.tld/
EOF
n=$((n+1))
n=$((n + 1))
echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)"
ret=0
copy_setports ns3/named2.conf.in ns3/named.conf
rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
nextpart ns3/named.run >/dev/null
dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
# See [GL #3129].
# Enable silent mode for ans11.
echo "1" | sendcmd 10.53.0.11
n=$((n+1))
n=$((n + 1))
echo_i "checking the handling of hung DS fetch while chasing DS ($n)"
ret=0
copy_setports ns3/named2.conf.in ns3/tmp
sed 's/root.db/root2.db/' ns3/tmp > ns3/named.conf
sed 's/root.db/root2.db/' ns3/tmp >ns3/named.conf
rm -f ns3/tmp
rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
rndccmd 10.53.0.3 flush 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
nextpart ns3/named.run >/dev/null
dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1
# Disable silent mode for ans11.
echo "0" | sendcmd 10.53.0.11
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
#
# Check various spoofed response scenarios. The same tests will be
# run twice, with "forward first" and "forward only" configurations.
#
run_spooftests () {
n=$((n+1))
echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
# check 'net' is not poisoned.
dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
# check 'sub.local.net' is not poisoned.
dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
run_spooftests() {
n=$((n + 1))
echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1
# check 'net' is not poisoned.
dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1
grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net >/dev/null || ret=1
# check 'sub.local.net' is not poisoned.
dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n+1))
echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
# check that net2/DNAME is not cached
dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1
# check that net2/DNAME is not cached
dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1
grep "ANSWER: 0," dig.out.$n.net2 >/dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.net2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n+1))
echo_i "checking spoofed response scenario 3 - extra answer ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
# check extra net3 records are not cached
rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
for try in 1 2 3 4 5; do
lines=$(grep "net3" ns9/named_dump.db | wc -l)
if [ ${lines} -eq 0 ]; then
sleep 1
continue
fi
[ ${lines} -eq 1 ] || ret=1
grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
grep -q '^local.net3' ns9/named_dump.db && ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking spoofed response scenario 3 - extra answer ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net3 >dig.out.$n.prime || ret=1
# check extra net3 records are not cached
rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
for try in 1 2 3 4 5; do
lines=$(grep "net3" ns9/named_dump.db | wc -l)
if [ ${lines} -eq 0 ]; then
sleep 1
continue
fi
[ ${lines} -eq 1 ] || ret=1
grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
grep -q '^local.net3' ns9/named_dump.db && ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
}
echo_i "checking spoofed response scenarios with forward first zones"
@ -421,31 +414,31 @@ rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
n=$((n+1))
n=$((n + 1))
echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1
# check 'net' is poisoned.
dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1
grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net >/dev/null || ret=1
# check 'sub.local.net' is poisoned.
dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1
# check that net2/DNAME is cached
dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1
grep "ANSWER: 1," dig.out.$n.net2 >/dev/null || ret=1
grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
#
# This test doesn't use any forwarder clauses but is here because it
@ -458,17 +451,17 @@ rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
n=$((n+1))
n=$((n + 1))
echo_i "checking sibling glue below zone ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
dig_with_opts @10.53.0.9 sibling.tld >dig.out.$n.prime || ret=1
# check for glue A record for sub.local.tld is not used
dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
dig_with_opts @10.53.0.9 sub.local.tld TXT >dig.out.$n.sub || ret=1
grep "ANSWER: 1," dig.out.$n.sub >/dev/null || ret=1
grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

5
bin/tests/system/genzone.sh
View File

@ -33,9 +33,8 @@ cat <<EOF
3600 )
EOF
for n
do
cat <<EOF
for n; do
cat <<EOF
@ NS ns${n}
ns${n} A 10.53.0.${n}
EOF

4
bin/tests/system/geoip2/prereq.sh
View File

@ -14,7 +14,7 @@
. ../conf.sh
$FEATURETEST --have-geoip2 || {
echo_i "This test requires GeoIP support." >&2
exit 255
echo_i "This test requires GeoIP support." >&2
exit 255
}
exit 0

4
bin/tests/system/geoip2/setup.sh
View File

@ -18,6 +18,6 @@ $SHELL clean.sh
copy_setports ns2/named1.conf.in ns2/named.conf
for i in 1 2 3 4 5 6 7 other bogus; do
cp ns2/example.db.in ns2/example${i}.db
echo "@ IN TXT \"$i\"" >> ns2/example$i.db
cp ns2/example.db.in ns2/example${i}.db
echo "@ IN TXT \"$i\"" >>ns2/example$i.db
done

215
bin/tests/system/geoip2/tests.sh
View File

@ -24,24 +24,22 @@ DIGOPTS="+tcp +short -p ${PORT} @10.53.0.2"
DIGOPTS6="+tcp +short -p ${PORT} @fd92:7065:b8e:ffff::2 -6"
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
for conf in conf/good*.conf
do
n=$((n + 1))
echo_i "checking that $conf is accepted ($n)"
ret=0
$CHECKCONF "$conf" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
for conf in conf/good*.conf; do
n=$((n + 1))
echo_i "checking that $conf is accepted ($n)"
ret=0
$CHECKCONF "$conf" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
for conf in conf/bad*.conf
do
n=$((n + 1))
echo_i "checking that $conf is rejected ($n)"
ret=0
$CHECKCONF "$conf" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
for conf in conf/bad*.conf; do
n=$((n + 1))
echo_i "checking that $conf is rejected ($n)"
ret=0
$CHECKCONF "$conf" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
n=$((n + 1))
@ -49,23 +47,22 @@ echo_i "checking Country database by code using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking Country database by code using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
@ -88,26 +85,25 @@ echo_i "checking Country database with nested ACLs using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking Country database with nested ACLs using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -127,23 +123,22 @@ echo_i "checking Country database by name using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking Country database by name using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
@ -167,24 +162,23 @@ ret=0
lret=0
# deliberately skipping 4 and 6 as they have duplicate continents
for i in 1 2 3 5 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking Country database by continent code using IPv6 ($n)"
ret=0
lret=0
# deliberately skipping 4 and 6 as they have duplicate continents
for i in 1 2 3 5 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
@ -208,24 +202,23 @@ ret=0
lret=0
# skipping 2 on purpose here; it has the same region code as 1
for i in 1 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking City database by region code using IPv6 ($n)"
ret=0
lret=0
# skipping 2 on purpose here; it has the same region code as 1
# skipping 2 on purpose here; it has the same region code as 1
for i in 1 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
@ -249,23 +242,22 @@ echo_i "checking City database by city name using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking City database by city name using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
@ -288,26 +280,25 @@ echo_i "checking ISP database using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking ISP database using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -327,26 +318,25 @@ echo_i "checking ASN database by org name using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking ASN database by org name using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -366,26 +356,25 @@ echo_i "checking GeoIP6 ASN database, ASNNNN only, using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking ASN database, ASNNNN only, using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -405,26 +394,25 @@ echo_i "checking GeoIP6 ASN database, NNNN only, using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking ASN database, NNNN only, using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -444,26 +432,25 @@ echo_i "checking Domain database using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking Domain database using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -481,8 +468,8 @@ sleep 3
n=$((n + 1))
echo_i "checking geoip blackhole ACL ($n)"
ret=0
$DIG $DIGOPTS txt example -b 10.53.0.7 > dig.out.ns2.test$n || ret=1
$RNDCCMD 10.53.0.2 status 2>&1 > rndc.out.ns2.test$n || ret=1
$DIG $DIGOPTS txt example -b 10.53.0.7 >dig.out.ns2.test$n || ret=1
$RNDCCMD 10.53.0.2 status 2>&1 >rndc.out.ns2.test$n || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))

66
bin/tests/system/get_core_dumps.sh
View File

@ -20,51 +20,51 @@ status=0
export SYSTESTDIR="${TOP_BUILDDIR}/bin/tests/system/${systest}"
get_core_dumps() {
find "$SYSTESTDIR/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort
find "$SYSTESTDIR/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort
}
core_dumps=$(get_core_dumps | tr '\n' ' ')
if [ -n "$core_dumps" ]; then
status=1
echoinfo "I:$systest:Core dump(s) found: $core_dumps"
get_core_dumps | while read -r coredump; do
echoinfo "D:$systest:backtrace from $coredump:"
echoinfo "D:$systest:--------------------------------------------------------------------------------"
binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p")
if [ ! -f "${binary}" ]; then
binary=$(find "${TOP_BUILDDIR}" -path "*/.libs/${binary}" -type f)
fi
"${TOP_BUILDDIR}/libtool" --mode=execute gdb \
-batch \
-ex bt \
-core="$coredump" \
-- \
"$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d
echoinfo "D:$systest:--------------------------------------------------------------------------------"
coredump_backtrace="${coredump}-backtrace.txt"
echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace"
"${TOP_BUILDDIR}/libtool" --mode=execute gdb \
-batch \
-command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \
-core="$coredump" \
-- \
"$binary" > "$coredump_backtrace" 2>&1
echoinfo "D:$systest:core dump $coredump archived as $coredump.gz"
gzip -1 "${coredump}"
done
status=1
echoinfo "I:$systest:Core dump(s) found: $core_dumps"
get_core_dumps | while read -r coredump; do
echoinfo "D:$systest:backtrace from $coredump:"
echoinfo "D:$systest:--------------------------------------------------------------------------------"
binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p")
if [ ! -f "${binary}" ]; then
binary=$(find "${TOP_BUILDDIR}" -path "*/.libs/${binary}" -type f)
fi
"${TOP_BUILDDIR}/libtool" --mode=execute gdb \
-batch \
-ex bt \
-core="$coredump" \
-- \
"$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d
echoinfo "D:$systest:--------------------------------------------------------------------------------"
coredump_backtrace="${coredump}-backtrace.txt"
echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace"
"${TOP_BUILDDIR}/libtool" --mode=execute gdb \
-batch \
-command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \
-core="$coredump" \
-- \
"$binary" >"$coredump_backtrace" 2>&1
echoinfo "D:$systest:core dump $coredump archived as $coredump.gz"
gzip -1 "${coredump}"
done
fi
assertion_failures=$(find "$SYSTESTDIR/" -name named.run -exec grep "assertion failure" {} + | wc -l)
if [ "$assertion_failures" -ne 0 ]; then
status=1
echoinfo "I:$systest:$assertion_failures assertion failure(s) found"
status=1
echoinfo "I:$systest:$assertion_failures assertion failure(s) found"
fi
tsan_failures=$(find "$SYSTESTDIR/" -name 'tsan.*' | wc -l)
if [ "$tsan_failures" -ne 0 ]; then
status=1
echoinfo "I:$systest:$tsan_failures TSAN sanitizer report(s) found"
find "$SYSTESTDIR/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d
status=1
echoinfo "I:$systest:$tsan_failures TSAN sanitizer report(s) found"
find "$SYSTESTDIR/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d
fi
exit $status

43
bin/tests/system/get_ports.sh
View File

@ -15,7 +15,7 @@
# individual system subtests, so every test is given a unique port range.
get_sorted_test_names() {
find . -maxdepth 2 -mindepth 2 -type f \( -name "tests.sh" -o -name "tests*.py" \) | cut -d/ -f2 | sort -u
find . -maxdepth 2 -mindepth 2 -type f \( -name "tests.sh" -o -name "tests*.py" \) | cut -d/ -f2 | sort -u
}
total_tests=$(get_sorted_test_names | wc -l)
@ -27,30 +27,33 @@ port_max=$((32767 - (total_tests * ports_per_test)))
baseport=0
test_index=0
while getopts "p:t:-:" OPT; do
if [ "$OPT" = "-" ] && [ -n "$OPTARG" ]; then
OPT="${OPTARG%%=*}"
OPTARG="${OPTARG#$OPT}"
OPTARG="${OPTARG#=}"
fi
if [ "$OPT" = "-" ] && [ -n "$OPTARG" ]; then
OPT="${OPTARG%%=*}"
OPTARG="${OPTARG#$OPT}"
OPTARG="${OPTARG#=}"
fi
# shellcheck disable=SC2214
case "$OPT" in
p | port) baseport=$OPTARG ;;
t | test)
test_index=$(get_sorted_test_names | awk "/^${OPTARG}\$/ { print NR }")
if [ -z "${test_index}" ]; then
echo "Test '${OPTARG}' not found" >&2
exit 1
fi
;;
-) break ;;
*) echo "invalid option" >&2; exit 1 ;;
esac
# shellcheck disable=SC2214
case "$OPT" in
p | port) baseport=$OPTARG ;;
t | test)
test_index=$(get_sorted_test_names | awk "/^${OPTARG}\$/ { print NR }")
if [ -z "${test_index}" ]; then
echo "Test '${OPTARG}' not found" >&2
exit 1
fi
;;
-) break ;;
*)
echo "invalid option" >&2
exit 1
;;
esac
done
port_pool_size=$((port_max - port_min))
if [ "${baseport}" -eq 0 ]; then
baseport="$((($(date +%s) / 3600 % port_pool_size) + port_min + (test_index * ports_per_test)))"
baseport="$((($(date +%s) / 3600 % port_pool_size) + port_min + (test_index * ports_per_test)))"
fi
echo "export PORT=$((baseport))"

4
bin/tests/system/glue/ns1/sign.sh
View File

@ -22,6 +22,6 @@ zonefile=tc-test-signed.db
# the test will be around 512 bytes in size with glue records excluded. Please
# keep this in mind when updating signing algorithms used in system tests.
keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
$SIGNER -P -o $zone $zonefile > /dev/null
$SIGNER -P -o $zone $zonefile >/dev/null

2
bin/tests/system/glue/setup.sh
View File

@ -15,4 +15,4 @@
copy_setports ns1/named.conf.in ns1/named.conf
( cd ns1 && $SHELL sign.sh )
(cd ns1 && $SHELL sign.sh)

50
bin/tests/system/glue/tests.sh
View File

@ -16,75 +16,75 @@ set -e
. ../conf.sh
dig_with_opts() {
"$DIG" +norec -p "${PORT}" "$@"
"$DIG" +norec -p "${PORT}" "$@"
}
status=0
n=0
n=$((n+1))
n=$((n + 1))
echo_i "testing that a ccTLD referral gets a full glue set from the root zone ($n)"
ret=0
dig_with_opts @10.53.0.1 foo.bar.fi. A > dig.out.$n || ret=1
dig_with_opts @10.53.0.1 foo.bar.fi. A >dig.out.$n || ret=1
digcomp --lc fi.good dig.out.$n || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "testing that we don't find out-of-zone glue ($n)"
ret=0
dig_with_opts @10.53.0.1 example.net. A > dig.out.$n || ret=1
dig_with_opts @10.53.0.1 example.net. A >dig.out.$n || ret=1
digcomp noglue.good dig.out.$n || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "testing truncation for unsigned referrals close to UDP packet size limit (A glue) ($n)"
ret=0
dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-a.tc-test-unsigned. > dig.out.$n || ret=1
dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-a.tc-test-unsigned. >dig.out.$n || ret=1
grep -q "flags:[^;]* tc" dig.out.$n || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "testing truncation for unsigned referrals close to UDP packet size limit (AAAA glue) ($n)"
ret=0
dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-aaaa.tc-test-unsigned. > dig.out.$n || ret=1
dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-aaaa.tc-test-unsigned. >dig.out.$n || ret=1
grep -q "flags:[^;]* tc" dig.out.$n || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "testing truncation for unsigned referrals close to UDP packet size limit (A+AAAA glue) ($n)"
ret=0
dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-both.tc-test-unsigned. > dig.out.$n || ret=1
dig_with_opts @10.53.0.1 +ignore +noedns foo.subdomain-both.tc-test-unsigned. >dig.out.$n || ret=1
grep -q "flags:[^;]* tc" dig.out.$n || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "testing truncation for signed referrals close to UDP packet size limit (A glue) ($n)"
ret=0
dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-a.tc-test-signed. > dig.out.$n || ret=1
dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-a.tc-test-signed. >dig.out.$n || ret=1
grep -q "flags:[^;]* tc" dig.out.$n || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "testing truncation for signed referrals close to UDP packet size limit (AAAA glue) ($n)"
ret=0
dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-aaaa.tc-test-signed. > dig.out.$n || ret=1
dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-aaaa.tc-test-signed. >dig.out.$n || ret=1
grep -q "flags:[^;]* tc" dig.out.$n || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "testing truncation for signed referrals close to UDP packet size limit (A+AAAA glue) ($n)"
ret=0
dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-both.tc-test-signed. > dig.out.$n || ret=1
dig_with_opts @10.53.0.1 +ignore +dnssec +bufsize=512 foo.subdomain-both.tc-test-signed. >dig.out.$n || ret=1
grep -q "flags:[^;]* tc" dig.out.$n || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

Some files were not shown because too many files have changed in this diff Show More