From b1eab3ca7ea0a16ceaf23b7c0b18d6d00d89f66a Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Fri, 5 Jan 2024 15:04:48 +0100 Subject: [PATCH] Handle dig timing out gracefully in autosign (cherry picked from commit 445ec7cc0fe42bcdd09f054484cfe4661636086e) --- bin/tests/system/autosign/tests.sh | 42 +++++++++++++++--------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 5789fe7352..1ca266f33d 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -205,7 +205,7 @@ echo_ic "resigned after the active KSK is deleted - stage 1: Verify that DNSKEY" echo_ic "is initially signed with a KSK and not a ZSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n || ret=1 zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ | $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') @@ -242,7 +242,7 @@ echo_i "check that zone with active and inactive ZSK and active KSK is properly" echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone" echo_ic "is initially signed with a ZSK and not a KSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n || ret=1 kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ | $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}') grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n >/dev/null || ret=1 @@ -437,7 +437,7 @@ echo_i "dumping zone files" now="$(TZ=UTC date +%Y%m%d%H%M%S)" check_expiry() ( - $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 >dig.out.test$n + $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 >dig.out.test$n || return 1 nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.cdstest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n || ret=1 grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n >/dev/null || ret=1 grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n >/dev/null || ret=1 n=$((n + 1)) @@ -1435,9 +1435,9 @@ status=$((status + ret)) echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 sync.example dnskey >dig.out.ns3.dnskeytest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 sync.example dnskey >dig.out.ns3.dnskeytest$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n || ret=1 lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 2 || ret=1 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) @@ -1450,9 +1450,9 @@ status=$((status + ret)) echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey >dig.out.ns3.dnskeytest$n -$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey >dig.out.ns3.cdnskeytest$n -$DIG $DIGOPTS @10.53.0.3 kskonly.example cds >dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey >dig.out.ns3.dnskeytest$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey >dig.out.ns3.cdnskeytest$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 kskonly.example cds >dig.out.ns3.cdstest$n || ret=1 lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 1 || ret=1 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) @@ -1498,7 +1498,7 @@ status=$((status + ret)) echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example >dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example >dig.out.ns3.test$n || ret=1 zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ | $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}') @@ -1516,7 +1516,7 @@ status=$((status + ret)) echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example >dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example >dig.out.ns3.test$n || ret=1 grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1530,7 +1530,7 @@ echo_ic "resigned after the active KSK is deleted - stage 2: Verify that DNSKEY" echo_ic "is now signed with the ZSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n || ret=1 zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ | $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') @@ -1558,7 +1558,7 @@ echo_i "check that zone with active and inactive ZSK and active KSK is properly" echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone" echo_ic "is now signed with the KSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n || ret=1 kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ | $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}') grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null || ret=1 @@ -1762,7 +1762,7 @@ ret=0 zone=optout-with-ent hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL # check that NSEC3 for ENT is present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1 grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n >/dev/null || ret=1 grep "^${hash}.${zone}." dig.out.pre.ns2.test$n >/dev/null || ret=1 @@ -1774,8 +1774,8 @@ grep "^${hash}.${zone}." dig.out.pre.ns2.test$n >/dev/null || ret=1 echo send ) | $NSUPDATE # check that NSEC3 for ENT is still present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.mid.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.mid.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1 grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n >/dev/null || ret=1 grep "^${hash}.${zone}." dig.out.mid.ns2.test$n >/dev/null || ret=1 @@ -1787,11 +1787,11 @@ grep "^${hash}.${zone}." dig.out.mid.ns2.test$n >/dev/null || ret=1 echo send ) | $NSUPDATE # check that NSEC3 for ENT is gone present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.post.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.post.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1 grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n >/dev/null || ret=1 grep "^${hash}.${zone}." dig.out.post.ns2.test$n >/dev/null && ret=1 -$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" >dig.out.axfr.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" >dig.out.axfr.ns2.test$n || ret=1 grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi