From 8015e95b779505f4edd36cc47355c03f8edafc0d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 1 Apr 2019 18:46:41 +1100 Subject: [PATCH 1/3] Check delv TTLs. (cherry picked from commit 146202d6a8ef4f27b99554aaf54530227b2cde9a) --- bin/tests/system/digdelv/tests.sh | 37 ++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index 24aa7b3736..6357f1e283 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -15,7 +15,30 @@ n=0 DIGOPTS="-p ${PORT}" SENDCMD="$PERL $SYSTEMTESTTOP/send.pl 10.53.0.4 ${EXTRAPORT1}" -if [ -x ${DIG} ] ; then +# Check if response in file $1 has the correct TTL range. +# The response record must have RRtype $2 and class IN (CLASS1). +# Maximum TTL is given by $3. This works in most cases where TTL is +# the second word on the line. TTL position can be adjusted with +# setting the position $4, but that requires updating this function. +check_ttl_range() { + file=$1 + pos=$4 + + case "$pos" in + "3") + awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file + ;; + *) + awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file + ;; + esac + + result=$? + [ $result -eq 0 ] || echo_i "ttl check failed" + return $result +} + +if [ -x "$DIG" ] ; then n=`expr $n + 1` echo_i "checking dig short form works ($n)" ret=0 @@ -488,6 +511,7 @@ if [ -x ${DELV} ] ; then ret=0 $DELV $DELVOPTS @10.53.0.3 +split=4 -t sshfp foo.example > delv.out.test$n || ret=1 grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -496,6 +520,7 @@ if [ -x ${DELV} ] ; then ret=0 $DELV $DELVOPTS @10.53.0.3 +unknownformat a a.example > delv.out.test$n || ret=1 grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "TYPE1" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -549,6 +574,7 @@ if [ -x ${DELV} ] ; then $DELV $DELVOPTS @10.53.0.3 -x 127.0.0.1 > delv.out.test$n 2>&1 || ret=1 # doesn't matter if has answer grep -i "127\.in-addr\.arpa\." < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n '\\-ANY' 10800 3 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -557,6 +583,7 @@ if [ -x ${DELV} ] ; then ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 a a.example > delv.out.test$n || ret=1 grep "10\.0\.0\.1$" < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -565,6 +592,7 @@ if [ -x ${DELV} ] ; then ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 + check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -573,6 +601,7 @@ if [ -x ${DELV} ] ; then ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 + check_ttl_range delv.out.test$n "SOA" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -581,6 +610,7 @@ if [ -x ${DELV} ] ; then ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -627,6 +657,7 @@ if [ -x ${DELV} ] ; then ret=0 $DELV $DELVOPTS @10.53.0.3 +sp=4 -t sshfp foo.example > delv.out.test$n || ret=1 grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -643,6 +674,7 @@ if [ -x ${DELV} ] ; then ret=0 $DELV $DELVOPTS @10.53.0.3 -c IN -t a a.example > delv.out.test$n || ret=1 grep "a.example." < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -651,6 +683,7 @@ if [ -x ${DELV} ] ; then ret=0 $DELV $DELVOPTS @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1 grep "a.example." < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -659,6 +692,7 @@ if [ -x ${DELV} ] ; then ret=0 $DELV $DELVOPTS @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1 grep "a.example." < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -669,6 +703,7 @@ if [ -x ${DELV} ] ; then grep '^; -m\..*[0-9]*.*IN.*ANY.*;' delv.out.test$n > /dev/null || ret=1 grep "^add " delv.out.test$n > /dev/null && ret=1 grep "^del " delv.out.test$n > /dev/null && ret=1 + check_ttl_range delv.out.test$n '\\-ANY' 300 3 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` else From c272e6799f279e5bae494cb039eab2ed66691e07 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 5 Apr 2019 15:31:10 +0200 Subject: [PATCH 2/3] Check dig TTLs. (cherry picked from commit 195277ca6df93be3c4d6721071011b9581e6f527) --- bin/tests/system/digdelv/tests.sh | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index 6357f1e283..18970c82bf 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -52,6 +52,7 @@ if [ -x "$DIG" ] ; then ret=0 $DIG $DIGOPTS @10.53.0.3 +split=4 -t sshfp foo.example > dig.out.test$n || ret=1 grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -60,6 +61,7 @@ if [ -x "$DIG" ] ; then ret=0 $DIG $DIGOPTS @10.53.0.3 +unknownformat a a.example > dig.out.test$n || ret=1 grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "TYPE1" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -68,7 +70,8 @@ if [ -x "$DIG" ] ; then ret=0 $DIG $DIGOPTS @10.53.0.3 -x 127.0.0.1 > dig.out.test$n 2>&1 || ret=1 # doesn't matter if has answer - grep -i "127\.in-addr\.arpa\." < dig.out.test$n > /dev/null || ret=1 + grep -i "127\\.in-addr\\.arpa\\." < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SOA" 86400 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -76,7 +79,8 @@ if [ -x "$DIG" ] ; then echo_i "checking dig over TCP works ($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 a a.example > dig.out.test$n || ret=1 - grep "10\.0\.0\.1$" < dig.out.test$n > /dev/null || ret=1 + grep "10\\.0\\.0\\.1$" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -85,6 +89,7 @@ if [ -x "$DIG" ] ; then ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 + check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -93,6 +98,7 @@ if [ -x "$DIG" ] ; then ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1 grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 + check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -101,6 +107,7 @@ if [ -x "$DIG" ] ; then ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -133,6 +140,7 @@ if [ -x "$DIG" ] ; then ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +noheader-only A example > dig.out.test$n || ret=1 grep "Got answer:" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -167,6 +175,7 @@ if [ -x "$DIG" ] ; then $DIG $DIGOPTS +tcp @10.53.0.3 +zflag +qr A example > dig.out.test$n || ret=1 sed -n '/Sending:/,/Got answer:/p' dig.out.test$n | grep "^;; flags: rd ad; MBZ: 0x4;" > /dev/null || ret=1 sed -n '/Got answer:/,/AUTHORITY SECTION:/p' dig.out.test$n | grep "^;; flags: qr rd ra; QUERY: 1" > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -179,6 +188,7 @@ if [ -x "$DIG" ] ; then if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` + n=`expr $n + 1` echo_i "checking dig +ttlunits works ($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.2 +ttlunits A weeks.example > dig.out.test$n || ret=1 @@ -286,6 +296,7 @@ if [ -x "$DIG" ] ; then ret=0 $DIG $DIGOPTS +tcp @10.53.0.2 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1 grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -294,6 +305,7 @@ if [ -x "$DIG" ] ; then ret=0 $DIG $DIGOPTS +tcp @10.53.0.2 +subnet=127.0.0.0 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1 grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -319,6 +331,7 @@ if [ -x "$DIG" ] ; then esac grep "FORMERR" < dig.out.$i.test$n > /dev/null && ret=1 grep "CLIENT-SUBNET: $addr/$i/0" < dig.out.$i.test$n > /dev/null || ret=1 + check_ttl_range dig.out.$i.test$n "A" 300 || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -330,6 +343,7 @@ if [ -x "$DIG" ] ; then grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1 grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -340,6 +354,7 @@ if [ -x "$DIG" ] ; then grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1 grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -350,6 +365,7 @@ if [ -x "$DIG" ] ; then grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 grep "CLIENT-SUBNET: ::/0/0" < dig.out.test$n > /dev/null || ret=1 grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -360,6 +376,7 @@ if [ -x "$DIG" ] ; then grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 grep "CLIENT-SUBNET: 0/0/0" < dig.out.test$n > /dev/null || ret=1 grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -381,6 +398,7 @@ ret=0 $DIG $DIGOPTS +tcp @10.53.0.2 +subnet=10.53/$p A a.example > dig.out.test.$p.$n 2>&1 || ret=1 grep "FORMERR" < dig.out.test.$p.$n > /dev/null && ret=1 grep "CLIENT-SUBNET.*/$p/0" < dig.out.test.$p.$n > /dev/null || ret=1 + check_ttl_range dig.out.test.$p.$n "A" 300 || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -390,6 +408,7 @@ ret=0 ret=0 $DIG $DIGOPTS @10.53.0.3 +sp=4 -t sshfp foo.example > dig.out.test$n || ret=1 grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -417,6 +436,7 @@ ret=0 ret=0 $DIG $DIGOPTS @10.53.0.3 +ednsopt=3 a.example > dig.out.test$n 2>&1 || ret=1 grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -425,6 +445,7 @@ ret=0 ret=0 $DIG $DIGOPTS @10.53.0.3 +ednsopt=nsid a.example > dig.out.test$n 2>&1 || ret=1 grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -449,6 +470,7 @@ ret=0 $DIG $DIGOPTS @10.53.0.3 +ednsopt=key-tag:00010002 a.example +qr > dig.out.test$n 2>&1 || ret=1 grep "; KEY-TAG: 1, 2$" dig.out.test$n > /dev/null || ret=1 grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` From d5da331093d49dc288212c2c67baa961985f152c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 10 Apr 2019 14:47:48 +1000 Subject: [PATCH 3/3] add CHANGES (cherry picked from commit dfc485b02e17002d25548dec422cf6da82fb9a3a) --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index df07b3c80a..4ed4aafdeb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +5207. [test] Check delv and dig TTL values. [GL #965] + 5205. [bug] Enforce that a DS hash exists. [GL #899] 5204. [test] Check that dns_rdata_fromtext() produces a record that