upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 16:50:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'tkrizek/shfmt-9.18' into 'bind-9.18'

Browse source 
[9.18] Enforce shell script codestyle with shfmt

See merge request isc-projects/bind9!8429
This commit is contained in:
Tom Krizek 2023-10-26 11:59:05 +00:00
commit bf330dc3cc
284 changed files with 24498 additions and 23569 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.editorconfig Normal file
View file

@ -0,0 +1,5 @@
[*.sh{,.in}]
indent_style = space
indent_size = 2
binary_next_line = true
switch_case_indent = true

2
.git-blame-ignore-revs
View file

@ -16,3 +16,5 @@
e577b1eca70856b816ffa36199f14078e4b76b58
# subshell notation in system tests
59e5fa42179366049fb31265532d504208f0329f
# reformat shell scripts with shfmt
b8b9b4ac2c0ae88de85f4d83982edb97694959d7

13
.gitlab-ci.yml
View file

@ -612,6 +612,19 @@ reuse:
script:
- reuse lint
shfmt:
<<: *precheck_job
needs: []
script:
- shfmt -w -i 2 -ci -bn . $(find . -name "*.sh.in")
- git diff > shfmt.patch
- if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
artifacts:
paths:
- shfmt.patch
expire_in: "1 week"
when: on_failure
danger:
<<: *precheck_job
needs: []

1
.reuse/dep5
View file

@ -147,6 +147,7 @@ Files: **/.clang-format
.clang-format
.clang-format.headers
.dir-locals.el
.editorconfig
.git-blame-ignore-revs
.gitattributes
.gitignore

34
bin/tests/startperf/setup.sh
View file

@ -11,20 +11,20 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
usage () {
echo "Usage: $0 [-s] <number of zones> [<records per zone>]"
echo " -s: use the same zone file all zones"
exit 1
usage() {
echo "Usage: $0 [-s] <number of zones> [<records per zone>]"
echo " -s: use the same zone file all zones"
exit 1
}
if [ "$#" -lt 1 -o "$#" -gt 3 ]; then
usage
usage
fi
single_file=""
if [ $1 = "-s" ]; then
single_file=yes
shift
single_file=yes
shift
fi
nzones=$1
@ -35,9 +35,9 @@ nrecords=5
. ../system/conf.sh
cat << EOF
cat <<EOF
options {
directory "`pwd`";
directory "$(pwd)";
listen-on { localhost; };
listen-on-v6 { localhost; };
port 5300;
@ -58,7 +58,7 @@ controls {
logging {
channel basic {
file "`pwd`/named.log" versions 3 size 100m;
file "$(pwd)/named.log" versions 3 size 100m;
severity info;
print-time yes;
print-severity no;
@ -72,11 +72,11 @@ logging {
EOF
$PERL makenames.pl $nzones | while read zonename; do
if [ $single_file ]; then
echo "zone $zonename { type primary; file \"smallzone.db\"; };"
else
[ -d zones ] || mkdir zones
$PERL mkzonefile.pl $zonename $nrecords > zones/$zonename.db
echo "zone $zonename { type primary; file \"zones/$zonename.db\"; };"
fi
if [ $single_file ]; then
echo "zone $zonename { type primary; file \"smallzone.db\"; };"
else
[ -d zones ] || mkdir zones
$PERL mkzonefile.pl $zonename $nrecords >zones/$zonename.db
echo "zone $zonename { type primary; file \"zones/$zonename.db\"; };"
fi
done

157
bin/tests/system/acl/tests.sh
View file

@ -25,15 +25,20 @@ echo_i "testing basic ACL processing"
# key "one" should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# any other key should be fine
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
copy_setports ns2/named2.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
@ -42,19 +47,28 @@ sleep 5
# prefix 10/8 should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# any other address should work, as long as it sends key "one"
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
echo_i "testing nested ACL processing"
# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed
@ -65,43 +79,64 @@ sleep 5
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# but only one or the other should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $tt failed"
status=1
}
# and other values? right out
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
copy_setports ns2/named4.conf.in ns2/named.conf
@ -111,32 +146,47 @@ sleep 5
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# should fail
t=$((t + 1))
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
echo_i "testing allow-query-on ACL processing"
copy_setports ns2/named5.conf.in ns2/named.conf
@ -144,27 +194,30 @@ rndc_reload ns2 10.53.0.2
sleep 5
t=$((t + 1))
$DIG -p ${PORT} +tcp soa example. \
@10.53.0.2 -b 10.53.0.3 > dig.out.${t}
grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.3 >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
echo_i "testing blackhole ACL processing"
t=$((t + 1))
ret=0
$DIG -p ${PORT} +tcp soa example. \
@10.53.0.2 -b 10.53.0.3 > dig.out.1.${t}
grep "status: NOERROR" dig.out.1.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.3 >dig.out.1.${t}
grep "status: NOERROR" dig.out.1.${t} >/dev/null 2>&1 || ret=1
$DIG -p ${PORT} +tcp soa example. \
@10.53.0.2 -b 10.53.0.8 > dig.out.2.${t} && ret=1
grep "status: NOERROR" dig.out.2.${t} > /dev/null 2>&1 && ret=1
grep "communications error" dig.out.2.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.8 >dig.out.2.${t} && ret=1
grep "status: NOERROR" dig.out.2.${t} >/dev/null 2>&1 && ret=1
grep "communications error" dig.out.2.${t} >/dev/null 2>&1 || ret=1
$DIG -p ${PORT} soa example. \
@10.53.0.2 -b 10.53.0.3 > dig.out.3.${t}
grep "status: NOERROR" dig.out.3.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.3 >dig.out.3.${t}
grep "status: NOERROR" dig.out.3.${t} >/dev/null 2>&1 || ret=1
$DIG -p ${PORT} soa example. \
@10.53.0.2 -b 10.53.0.8 > dig.out.4.${t} && ret=1
grep "status: NOERROR" dig.out.4.${t} > /dev/null 2>&1 && ret=1
grep "timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1
grep ";; no servers could be reached" dig.out.4.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.8 >dig.out.4.${t} && ret=1
grep "status: NOERROR" dig.out.4.${t} >/dev/null 2>&1 && ret=1
grep "timed out" dig.out.4.${t} >/dev/null 2>&1 || ret=1
grep ";; no servers could be reached" dig.out.4.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -179,7 +232,7 @@ sleep 1
t=$((t + 1))
ret=0
echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -192,7 +245,7 @@ sleep 1
t=$((t + 1))
ret=0
echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -208,7 +261,7 @@ sleep 1
t=$((t + 1))
ret=0
echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -221,7 +274,7 @@ sleep 1
t=$((t + 1))
ret=0
echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))

486
bin/tests/system/additional/tests.sh
View file

@ -22,229 +22,245 @@ status=0
n=0
dotests() {
n=$((n + 1))
echo_i "test with RT, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with RT, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with RT, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with RT, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NAPTR, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NAPTR, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NAPTR, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NAPTR, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
case $minimal in
n=$((n + 1))
echo_i "test with LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
case $minimal in
no)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null || ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
yes)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
;;
no-auth)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
no-auth-recursive)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
esac
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NID (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NID (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NID + LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NID + LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with RT, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with RT, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with RT, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with RT, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NAPTR, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NAPTR, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NAPTR, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NAPTR, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
case $minimal in
n=$((n + 1))
echo_i "test with LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
case $minimal in
no)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null || ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
yes)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
;;
no-auth)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
no-auth-recursive)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null || ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
esac
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NID (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NID (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NID + LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NID + LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NS, root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS . @10.53.0.1 > dig.out.$n || ret=1
# Always expect glue for root priming queries, regardless $minimal
grep 'ADDITIONAL: 3' dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$((n + 1))
echo_i "test with NS, root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS . @10.53.0.1 >dig.out.$n || ret=1
# Always expect glue for root priming queries, regardless $minimal
grep 'ADDITIONAL: 3' dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "test with NS, non-root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1
case $minimal in
n=$((n + 1))
echo_i "test with NS, non-root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1
case $minimal in
yes)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
no)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
no-auth)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
no-auth-recursive)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
esac
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
}
echo_i "testing with 'minimal-responses yes;'"
@ -262,10 +278,11 @@ dotests
n=$((n + 1))
echo_i "testing with 'minimal-any no;' ($n)"
ret=0
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "reconfiguring server: minimal-any yes"
@ -275,28 +292,31 @@ rndc_reconfig ns1 10.53.0.1
n=$((n + 1))
echo_i "testing with 'minimal-any yes;' over UDP ($n)"
ret=0
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing with 'minimal-any yes;' over TCP ($n)"
ret=0
$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing with 'minimal-any yes;' over UDP ($n)"
ret=0
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "testing with 'minimal-responses no-auth;'"
@ -314,23 +334,25 @@ dotests
n=$((n + 1))
echo_i "testing returning TLSA records with MX query ($n)"
ret=0
$DIG $DIGOPTS -t mx mx.example @10.53.0.1 > dig.out.$n || ret=1
grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n > /dev/null || ret=1
grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1
grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t mx mx.example @10.53.0.1 >dig.out.$n || ret=1
grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n >/dev/null || ret=1
grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1
grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing returning TLSA records with SRV query ($n)"
ret=0
$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 > dig.out.$n || ret=1
grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n > /dev/null || ret=1
grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1
grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 >dig.out.$n || ret=1
grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n >/dev/null || ret=1
grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1
grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "reconfiguring server: minimal-responses no"
@ -340,39 +362,43 @@ rndc_reconfig ns1 10.53.0.1
n=$((n + 1))
echo_i "testing NS handling in ANY responses (authoritative) ($n)"
ret=0
$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing NS handling in ANY responses (recursive) ($n)"
ret=0
$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 > dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 >dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing out-of-zone additional data from auth zones (authoritative) ($n)"
ret=0
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=$((n + 1))
echo_i "testing out-of-zone additional data from auth zones (recursive) ($n)"
ret=0
$DIG $DIGOPTS -t NS ex @10.53.0.3 > dig.out.$n || ret=1
grep "ADDITIONAL: 3" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t NS ex @10.53.0.3 >dig.out.$n || ret=1
grep "ADDITIONAL: 3" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "exit status: $status"

519
bin/tests/system/addzone/tests.sh
View file

@ -19,9 +19,9 @@ DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnss
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
check_zonestatus() (
$RNDCCMD "10.53.0.$1" zonestatus -redirect > "zonestatus.out.ns$1.$n" &&
grep "type: redirect" "zonestatus.out.ns$1.$n" > /dev/null &&
grep "serial: 1" "zonestatus.out.ns$1.$n" > /dev/null
$RNDCCMD "10.53.0.$1" zonestatus -redirect >"zonestatus.out.ns$1.$n" \
&& grep "type: redirect" "zonestatus.out.ns$1.$n" >/dev/null \
&& grep "serial: 1" "zonestatus.out.ns$1.$n" >/dev/null
)
status=0
@ -29,9 +29,9 @@ n=0
echo_i "checking normally loaded zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -40,28 +40,28 @@ status=$((status + ret))
# NZF to NZD occurs during named startup
echo_i "checking previously added zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.previous.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 a.previous.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.previous.example' dig.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if $FEATURETEST --with-lmdb; then
echo_i "checking that existing NZF file was renamed after migration ($n)"
[ -e ns2/3bf305731dd26307.nzf~ ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking that existing NZF file was renamed after migration ($n)"
[ -e ns2/3bf305731dd26307.nzf~ ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
echo_i "adding new zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'added.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
_check_adding_new_zone () (
$DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.added.example' dig.out.ns2.$n > /dev/null
_check_adding_new_zone() (
$DIG $DIGOPTS @10.53.0.2 a.added.example a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.added.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_adding_new_zone || ret=1
n=$((n + 1))
@ -71,7 +71,7 @@ status=$((status + ret))
nextpart ns2/named.run >/dev/null
echo_i "checking addzone errors are logged correctly"
ret=0
$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' >/dev/null 2>&1 || ret=1
wait_for_log_peek 20 "addzone: 'mister' unexpected" ns2/named.run || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -80,7 +80,7 @@ status=$((status + ret))
nextpart ns2/named.run >/dev/null
echo_i "checking modzone errors are logged correctly"
ret=0
$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' >/dev/null 2>&1 || ret=1
wait_for_log_peek 20 "modzone: 'mister' unexpected" ns2/named.run || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -91,9 +91,9 @@ ret=0
$RNDCCMD 10.53.0.2 addzone '"32/1.0.0.127-in-addr.added.example" {
check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
_check_zone_that_requires_quotes() (
$DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_zone_that_requires_quotes || ret=1
n=$((n + 1))
@ -104,9 +104,9 @@ echo_i "adding a zone with a quote in the name ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone '"foo\"bar.example" { check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
_check_zone_with_a_quote() (
$DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.foo\\"bar.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.foo\\"bar.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_zone_with_a_quote || ret=1
n=$((n + 1))
@ -115,30 +115,30 @@ status=$((status + ret))
echo_i "adding new zone with missing file ($n)"
ret=0
$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.pre.$n || ret=1
grep "status: REFUSED" dig.out.ns2.pre.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2> rndc.out.ns2.$n && ret=1
grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.post.$n || ret=1
grep "status: REFUSED" dig.out.ns2.post.$n > /dev/null || ret=1
$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a >dig.out.ns2.pre.$n || ret=1
grep "status: REFUSED" dig.out.ns2.pre.$n >/dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2>rndc.out.ns2.$n && ret=1
grep "file not found" rndc.out.ns2.$n >/dev/null || ret=1
$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a >dig.out.ns2.post.$n || ret=1
grep "status: REFUSED" dig.out.ns2.post.$n >/dev/null || ret=1
digcomp dig.out.ns2.pre.$n dig.out.ns2.post.$n || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if ! $FEATURETEST --with-lmdb; then
echo_i "verifying no comments in NZF file ($n)"
ret=0
hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l)
[ $hcount -eq 0 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "verifying no comments in NZF file ($n)"
ret=0
hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l)
[ $hcount -eq 0 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
echo_i "checking rndc showzone with previously added zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 showzone previous.example > rndc.out.ns2.$n
$RNDCCMD 10.53.0.2 showzone previous.example >rndc.out.ns2.$n
expected='zone "previous.example" { type primary; file "previous.db"; };'
[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1
n=$((n + 1))
@ -146,20 +146,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if $FEATURETEST --with-lmdb; then
echo_i "checking zone is present in NZD ($n)"
ret=0
$NZD2NZF ns2/_default.nzd | grep previous.example > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking zone is present in NZD ($n)"
ret=0
$NZD2NZF ns2/_default.nzd | grep previous.example >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
echo_i "deleting previously added zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone previous.example 2>&1 | sed 's/^/I:ns2 /'
_check_deleting_previously_added_zone() (
$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n &&
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
! grep '^a.previous.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.previous.example a >dig.out.ns2.$n \
&& grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \
&& ! grep '^a.previous.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_previously_added_zone || ret=1
n=$((n + 1))
@ -167,34 +167,34 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
check_nzd2nzf() (
$NZD2NZF ns2/_default.nzd > nzd2nzf.out.$n &&
! grep previous.example nzd2nzf.out.$n > /dev/null
$NZD2NZF ns2/_default.nzd >nzd2nzf.out.$n \
&& ! grep previous.example nzd2nzf.out.$n >/dev/null
)
if $FEATURETEST --with-lmdb; then
echo_i "checking zone was deleted from NZD ($n)"
retry_quiet 10 check_nzd2nzf || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking zone was deleted from NZD ($n)"
retry_quiet 10 check_nzd2nzf || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
if ! $FEATURETEST --with-lmdb; then
echo_i "checking NZF file now has comment ($n)"
ret=0
hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l)
[ $hcount -eq 1 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking NZF file now has comment ($n)"
ret=0
hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l)
[ $hcount -eq 1 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
echo_i "deleting newly added zone added.example ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone added.example 2>&1 | sed 's/^/I:ns2 /'
_check_deleting_newly_added_zone() (
$DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n &&
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
! grep '^a.added.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.added.example a >dig.out.ns2.$n \
&& grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \
&& ! grep '^a.added.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_newly_added_zone || ret=1
n=$((n + 1))
@ -205,9 +205,9 @@ echo_i "deleting newly added zone with escaped quote ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone "foo\\\"bar.example" 2>&1 | sed 's/^/I:ns2 /'
_check_deleting_newly_added_zone_quote() (
$DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n &&
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
! grep "^a.foo\"bar.example" dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a >dig.out.ns2.$n \
&& grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \
&& ! grep "^a.foo\"bar.example" dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_newly_added_zone_quote || ret=1
n=$((n + 1))
@ -216,7 +216,7 @@ status=$((status + ret))
echo_i "checking rndc showzone with a normally-loaded zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 showzone normal.example > rndc.out.ns2.$n
$RNDCCMD 10.53.0.2 showzone normal.example >rndc.out.ns2.$n
expected='zone "normal.example" { type primary; file "normal.db"; };'
[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1
n=$((n + 1))
@ -225,7 +225,7 @@ status=$((status + ret))
echo_i "checking rndc showzone with a normally-loaded zone with trailing dot ($n)"
ret=0
$RNDCCMD 10.53.0.2 showzone finaldot.example > rndc.out.ns2.$n
$RNDCCMD 10.53.0.2 showzone finaldot.example >rndc.out.ns2.$n
expected='zone "finaldot.example." { type primary; file "normal.db"; };'
[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1
n=$((n + 1))
@ -234,7 +234,7 @@ status=$((status + ret))
echo_i "checking rndc showzone with a normally-loaded redirect zone ($n)"
ret=0
$RNDCCMD 10.53.0.1 showzone -redirect > rndc.out.ns1.$n
$RNDCCMD 10.53.0.1 showzone -redirect >rndc.out.ns1.$n
expected='zone "." { type redirect; file "redirect.db"; };'
[ "$(cat rndc.out.ns1.$n)" = "$expected" ] || ret=1
n=$((n + 1))
@ -243,9 +243,9 @@ status=$((status + ret))
echo_i "checking rndc zonestatus with a normally-loaded redirect zone ($n)"
ret=0
$RNDCCMD 10.53.0.1 zonestatus -redirect > rndc.out.ns1.$n
grep "type: redirect" rndc.out.ns1.$n > /dev/null || ret=1
grep "serial: 0" rndc.out.ns1.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.1 zonestatus -redirect >rndc.out.ns1.$n
grep "type: redirect" rndc.out.ns1.$n >/dev/null || ret=1
grep "serial: 0" rndc.out.ns1.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -254,7 +254,7 @@ echo_i "checking rndc reload with a normally-loaded redirect zone ($n)"
ret=0
sleep 1
cp -f ns1/redirect.db.2 ns1/redirect.db
$RNDCCMD 10.53.0.1 reload -redirect > rndc.out.ns1.$n
$RNDCCMD 10.53.0.1 reload -redirect >rndc.out.ns1.$n
retry_quiet 5 check_zonestatus 1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -262,13 +262,13 @@ status=$((status + ret))
echo_i "delete a normally-loaded zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone normal.example > rndc.out.ns2.$n 2>&1
grep "is no longer active and will be deleted" rndc.out.ns2.$n > /dev/null || ret=11
grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n > /dev/null || ret=1
grep "must also be removed from named.conf." rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 delzone normal.example >rndc.out.ns2.$n 2>&1
grep "is no longer active and will be deleted" rndc.out.ns2.$n >/dev/null || ret=11
grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n >/dev/null || ret=1
grep "must also be removed from named.conf." rndc.out.ns2.$n >/dev/null || ret=1
_check_delete_normally_loaded_zone() (
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n &&
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.normal.example a >dig.out.ns2.$n \
&& grep 'status: REFUSED' dig.out.ns2.$n >/dev/null
)
retry_quiet 5 _check_delete_normally_loaded_zone || ret=1
@ -279,9 +279,9 @@ status=$((status + ret))
echo_i "attempting to add primary zone with inline signing ($n)"
$RNDCCMD 10.53.0.2 addzone 'inline.example { type primary; file "inline.db"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /'
_check_add_primary_zone_with_inline() (
$DIG $DIGOPTS @10.53.0.2 a.inline.example a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.inline.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.inline.example a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.inline.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 5 _check_add_primary_zone_with_inline || ret=1
n=$((n + 1))
@ -290,8 +290,8 @@ status=$((status + ret))
echo_i "attempting to add primary zone with inline signing and missing file ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2> rndc.out.ns2.$n && ret=1
grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2>rndc.out.ns2.$n && ret=1
grep "file not found" rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -299,9 +299,9 @@ status=$((status + ret))
echo_i "attempting to add secondary zone with inline signing ($n)"
$RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /'
_check_add_secondary_with_inline() (
$DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.inlinesec.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 5 _check_add_secondary_with_inline || ret=1
n=$((n + 1))
@ -311,14 +311,16 @@ status=$((status + ret))
echo_i "attempting to delete secondary zone with inline signing ($n)"
ret=0
retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1
$RNDCCMD 10.53.0.2 delzone inlinesec.example > rndc.out2.test$n 2>&1 || ret=1
test -f inlinesec.bk ||
grep '^inlinesec.bk$' rndc.out2.test$n > /dev/null || {
echo_i "failed to report inlinesec.bk"; ret=1;
$RNDCCMD 10.53.0.2 delzone inlinesec.example >rndc.out2.test$n 2>&1 || ret=1
test -f inlinesec.bk \
|| grep '^inlinesec.bk$' rndc.out2.test$n >/dev/null || {
echo_i "failed to report inlinesec.bk"
ret=1
}
test ! -f inlinesec.bk.signed ||
grep '^inlinesec.bk.signed$' rndc.out2.test$n > /dev/null || {
echo_i "failed to report inlinesec.bk.signed"; ret=1;
test ! -f inlinesec.bk.signed \
|| grep '^inlinesec.bk.signed$' rndc.out2.test$n >/dev/null || {
echo_i "failed to report inlinesec.bk.signed"
ret=1
}
n=$((n + 1))
status=$((status + ret))
@ -326,9 +328,9 @@ status=$((status + ret))
echo_i "restoring secondary zone with inline signing ($n)"
$RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /'
_check_restoring_secondary_with_inline() (
$DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n &&
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a >dig.out.ns2.$n \
&& grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \
&& grep '^a.inlinesec.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 5 _check_restoring_secondary_with_inline || ret=1
n=$((n + 1))
@ -338,7 +340,7 @@ status=$((status + ret))
echo_i "deleting secondary zone with automatic zone file removal ($n)"
ret=0
retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1
$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example > /dev/null 2>&1
$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example >/dev/null 2>&1
retry_quiet 10 test ! -f ns2/inlinesec.bk.signed -a ! -f ns2/inlinesec.bk
n=$((n + 1))
status=$((status + ret))
@ -346,38 +348,38 @@ status=$((status + ret))
echo_i "modifying zone configuration ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'mod.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/ns2 /' | cat_i
$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.1.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns >dig.out.ns2.1.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1
$RNDCCMD 10.53.0.2 modzone 'mod.example { type primary; file "added.db"; allow-query { none; }; };' 2>&1 | sed 's/^/ns2 /' | cat_i
$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.2.$n || ret=1
$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' > /dev/null 2>&1 || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns >dig.out.ns2.2.$n || ret=1
$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' >/dev/null 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that adding a 'stub' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' >rndc.out.ns2.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that adding a 'static-stub' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' >rndc.out.ns2.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that adding a 'primary redirect' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' >rndc.out.ns2.$n 2>&1 || ret=1
_check_add_primary_redirect() (
$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 &&
grep "type redirect;" showzone.out.ns2.$n > /dev/null &&
$RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 &&
grep "type: redirect" zonestatus.out.ns2.$n > /dev/null &&
grep "serial: 0" zonestatus.out.ns2.$n > /dev/null
$RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 \
&& grep "type redirect;" showzone.out.ns2.$n >/dev/null \
&& $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \
&& grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \
&& grep "serial: 0" zonestatus.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_add_primary_redirect || ret=1
n=$((n + 1))
@ -388,7 +390,7 @@ echo_i "check that reloading a added 'primary redirect' zone works ($n)"
ret=0
sleep 1
cp -f ns2/redirect.db.2 ns2/redirect.db
$RNDCCMD 10.53.0.2 reload -redirect > rndc.out.ns2.$n
$RNDCCMD 10.53.0.2 reload -redirect >rndc.out.ns2.$n
retry_quiet 10 check_zonestatus 2 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -396,17 +398,17 @@ status=$((status + ret))
echo_i "check that retransfer of a added 'primary redirect' zone fails ($n)"
ret=0
$RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && ret=1
$RNDCCMD 10.53.0.2 retransfer -redirect >rndc.out.ns2.$n 2>&1 && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that deleting a 'primary redirect' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 delzone -redirect >rndc.out.ns2.$n 2>&1 || ret=1
_check_deleting_primary_redirect() (
$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true
grep 'not found' showzone.out.ns2.$n > /dev/null
$RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 || true
grep 'not found' showzone.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_primary_redirect || ret=1
n=$((n + 1))
@ -415,13 +417,13 @@ status=$((status + ret))
echo_i "check that adding a 'secondary redirect' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' >rndc.out.ns2.$n 2>&1 || ret=1
_check_adding_secondary_redirect() (
$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 &&
grep "type redirect;" showzone.out.ns2.$n > /dev/null &&
$RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 &&
grep "type: redirect" zonestatus.out.ns2.$n > /dev/null &&
grep "serial: 0" zonestatus.out.ns2.$n > /dev/null
$RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 \
&& grep "type redirect;" showzone.out.ns2.$n >/dev/null \
&& $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \
&& grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \
&& grep "serial: 0" zonestatus.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_adding_secondary_redirect || ret=1
n=$((n + 1))
@ -431,12 +433,12 @@ status=$((status + ret))
echo_i "check that retransfering a added 'secondary redirect' zone works ($n)"
ret=0
cp -f ns3/redirect.db.2 ns3/redirect.db
$RNDCCMD 10.53.0.3 reload . > showzone.out.ns3.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.3 reload . >showzone.out.ns3.$n 2>&1 || ret=1
_check_retransfering_secondary_redirect() (
$RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 &&
$RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 &&
grep "type: redirect" zonestatus.out.ns2.$n > /dev/null &&
grep "serial: 1" zonestatus.out.ns2.$n > /dev/null
$RNDCCMD 10.53.0.2 retransfer -redirect >rndc.out.ns2.$n 2>&1 \
&& $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \
&& grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \
&& grep "serial: 1" zonestatus.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_retransfering_secondary_redirect || ret=1
n=$((n + 1))
@ -445,10 +447,10 @@ status=$((status + ret))
echo_i "check that deleting a 'secondary redirect' zone works ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1
$RNDCCMD 10.53.0.2 delzone -redirect >rndc.out.ns2.$n 2>&1 || ret=1
_check_deleting_secondary_redirect() (
$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true
grep 'not found' showzone.out.ns2.$n > /dev/null
$RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 || true
grep 'not found' showzone.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_secondary_redirect || ret=1
n=$((n + 1))
@ -457,32 +459,32 @@ status=$((status + ret))
echo_i "check that zone type 'hint' is properly rejected ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' > rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' >rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that zone type 'forward' is properly rejected ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' > rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' >rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that zone type 'delegation-only' is properly rejected ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' > rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' >rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check that 'in-view' zones are properly rejected ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' >rndc.out.ns2.$n 2>&1 && ret=1
grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -500,48 +502,48 @@ echo_i "adding new zone to external view ($n)"
# the zone does not exist because a) it has not yet been loaded, b)
# it failed to load, or c) it has been deleted.
ret=0
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.intpre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.intpre.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.extpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.extpre.$n >/dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1
grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null || ret=1
grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if ! $FEATURETEST --with-lmdb; then
echo_i "checking new NZF file has comment ($n)"
ret=0
hcount=$(grep "^# New zone file for view: external" ns2/external.nzf | wc -l)
[ $hcount -eq 1 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking new NZF file has comment ($n)"
ret=0
hcount=$(grep "^# New zone file for view: external" ns2/external.nzf | wc -l)
[ $hcount -eq 1 ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
if $FEATURETEST --with-lmdb; then
echo_i "verifying added.example in external view created an external.nzd DB ($n)"
ret=0
[ -e ns2/external.nzd ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "verifying added.example in external view created an external.nzd DB ($n)"
ret=0
[ -e ns2/external.nzd ] || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
echo_i "checking rndc reload causes named to reload the external view's new zone config ($n)"
ret=0
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
_check_rndc_reload_external_view_config() (
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n &&
grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null &&
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n &&
grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null &&
grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n \
&& grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null \
&& $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n \
&& grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null \
&& grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null
)
retry_quiet 10 _check_rndc_reload_external_view_config || ret=1
n=$((n + 1))
@ -550,15 +552,15 @@ status=$((status + ret))
echo_i "checking rndc showzone with newly added zone ($n)"
_check_rndc_showzone_newly_added() (
if ! $FEATURETEST --with-lmdb; then
expected='zone "added.example" in external { type primary; file "added.db"; };'
else
expected='zone "added.example" { type primary; file "added.db"; };'
fi
$RNDCCMD 10.53.0.2 showzone added.example in external > rndc.out.ns2.$n 2>/dev/null &&
[ "$(cat rndc.out.ns2.$n)" = "$expected" ]
if ! $FEATURETEST --with-lmdb; then
expected='zone "added.example" in external { type primary; file "added.db"; };'
else
expected='zone "added.example" { type primary; file "added.db"; };'
fi
$RNDCCMD 10.53.0.2 showzone added.example in external >rndc.out.ns2.$n 2>/dev/null \
&& [ "$(cat rndc.out.ns2.$n)" = "$expected" ]
)
retry_quiet 10 _check_rndc_showzone_newly_added || ret=1
retry_quiet 10 _check_rndc_showzone_newly_added || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -567,9 +569,9 @@ echo_i "deleting newly added zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /'
_check_deleting_newly_added_zone() (
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n &&
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
! grep '^a.added.example' dig.out.ns2.$n > /dev/null
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.$n \
&& grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \
&& ! grep '^a.added.example' dig.out.ns2.$n >/dev/null
)
retry_quiet 10 _check_deleting_newly_added_zone || ret=1
n=$((n + 1))
@ -578,22 +580,22 @@ status=$((status + ret))
echo_i "attempting to add zone to internal view ($n)"
ret=0
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.pre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.pre.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2> rndc.out.ns2.$n && ret=1
grep "permission denied" rndc.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.pre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.pre.$n >/dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2>rndc.out.ns2.$n && ret=1
grep "permission denied" rndc.out.ns2.$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.ext.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "attempting to delete a policy zone ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2> rndc.out.ns2.$n >&1 && ret=1
grep 'cannot be deleted' rndc.out.ns2.$n > /dev/null || ret=1
$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2>rndc.out.ns2.$n >&1 && ret=1
grep 'cannot be deleted' rndc.out.ns2.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -602,11 +604,11 @@ echo_i "adding new zone again to external view ($n)"
ret=0
$RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
_check_adding_new_zone_again_external() (
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n &&
grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null &&
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n &&
grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null &&
grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n \
&& grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null \
&& $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n \
&& grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null \
&& grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null
)
retry_quiet 10 _check_adding_new_zone_again_external || ret=1
n=$((n + 1))
@ -620,9 +622,9 @@ rndc_reconfig ns2 10.53.0.2
echo_i "checking new zone is still loaded after dir change ($n)"
ret=0
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1
grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null || ret=1
grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -630,39 +632,39 @@ status=$((status + ret))
echo_i "deleting newly added zone from external ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /'
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.added.example' dig.out.ns2.$n >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "adding new zone to directory view ($n)"
ret=0
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dirpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.dirpre.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.intpre.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.intpre.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.extpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.extpre.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.dirpre.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.dirpre.$n >/dev/null || ret=1
$RNDCCMD 10.53.0.2 addzone 'added.example in directory { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dir.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.dir.$n > /dev/null || ret=1
grep '^a.added.example' dig.out.ns2.dir.$n > /dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.ext.$n >/dev/null || ret=1
$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.dir.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.dir.$n >/dev/null || ret=1
grep '^a.added.example' dig.out.ns2.dir.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if $FEATURETEST --with-lmdb; then
echo_i "checking NZD file was created in new-zones-directory ($n)"
expect=ns2/new-zones/directory.nzd
echo_i "checking NZD file was created in new-zones-directory ($n)"
expect=ns2/new-zones/directory.nzd
else
echo_i "checking NZF file was created in new-zones-directory ($n)"
expect=ns2/new-zones/directory.nzf
echo_i "checking NZF file was created in new-zones-directory ($n)"
expect=ns2/new-zones/directory.nzf
fi
$RNDCCMD 10.53.0.2 sync 'added.example IN directory' 2>&1 | sed 's/^/I:ns2 /'
sleep 2
@ -674,9 +676,9 @@ status=$((status + ret))
echo_i "deleting newly added zone from directory ($n)"
ret=0
$RNDCCMD 10.53.0.2 delzone 'added.example in directory' 2>&1 | sed 's/^/I:ns2 /'
$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.added.example' dig.out.ns2.$n >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -684,70 +686,69 @@ status=$((status + ret))
echo_i "ensure the configuration context is cleaned up correctly ($n)"
ret=0
rndc_reconfig ns2 10.53.0.2
$RNDCCMD 10.53.0.2 status > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.2 status >/dev/null 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "check delzone after reconfig failure ($n)"
ret=0
$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' >/dev/null 2>&1 || ret=1
copy_setports ns3/named2.conf.in ns3/named.conf
rndc_reconfig ns3 10.53.0.3
$RNDCCMD 10.53.0.3 delzone inlinesec.example > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 delzone inlinesec.example >/dev/null 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if ! $FEATURETEST --with-lmdb
then
echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)"
ret=0
$RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' > /dev/null 2>&1 && ret=1
$RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 delzone "test3.baz" > /dev/null 2>&1 || ret=1
grep test2.baz ns3/_default.nzf > /dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
if ! $FEATURETEST --with-lmdb; then
echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)"
ret=0
$RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' >/dev/null 2>&1 && ret=1
$RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 delzone "test3.baz" >/dev/null 2>&1 || ret=1
grep test2.baz ns3/_default.nzf >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
fi
_check_version_bind() (
$DIG $DIGOPTS @10.53.0.3 version.bind txt ch > dig.out.test$n &&
grep "status: NOERROR" dig.out.test$n > /dev/null
$DIG $DIGOPTS @10.53.0.3 version.bind txt ch >dig.out.test$n \
&& grep "status: NOERROR" dig.out.test$n >/dev/null
)
echo_i "check that named restarts with multiple added zones ($n)"
ret=0
$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1
stop_server ns3
start_server --noclean --restart --port ${PORT} ns3 || ret=1
retry_quiet 10 _check_version_bind || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" > dig.out.1.test$n || ret=1
grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.1.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" > dig.out.2.test$n || ret=1
grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' > dig.out.3.test$n || ret=1
grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.3.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' > dig.out.4.test$n || ret=1
grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.4.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' > dig.out.5.test$n || ret=1
grep "status: NOERROR" dig.out.5.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.5.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' > dig.out.6.test$n || ret=1
grep "status: NOERROR" dig.out.6.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.6.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" >dig.out.1.test$n || ret=1
grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.1.test$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" >dig.out.2.test$n || ret=1
grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.2.test$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' >dig.out.3.test$n || ret=1
grep "status: NOERROR" dig.out.3.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.3.test$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' >dig.out.4.test$n || ret=1
grep "status: NOERROR" dig.out.4.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.4.test$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' >dig.out.5.test$n || ret=1
grep "status: NOERROR" dig.out.5.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.5.test$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' >dig.out.6.test$n || ret=1
grep "status: NOERROR" dig.out.6.test$n >/dev/null || ret=1
grep "ANSWER: 1," dig.out.6.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))

6
bin/tests/system/allow-query/setup.sh
View file

@ -14,6 +14,6 @@
. ../conf.sh
copy_setports ../_common/controls.conf.in ns2/controls.conf
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named01.conf.in ns2/named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named01.conf.in ns2/named.conf
copy_setports ns3/named1.conf.in ns3/named.conf

419
bin/tests/system/allow-query/tests.sh
View file

@ -61,15 +61,15 @@ DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnss
status=0
n=0
nextpart ns2/named.run > /dev/null
nextpart ns2/named.run >/dev/null
# Test 1 - default, query allowed
n=$((n + 1))
echo_i "test $n: default - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -80,9 +80,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: explicit any - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -93,11 +93,11 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: none - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
nextpart ns2/named.run | grep 'recursion not enabled for view' > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
nextpart ns2/named.run | grep 'recursion not enabled for view' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -106,10 +106,10 @@ DIGNOEDNS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +no
echo_i "test $n: none - query refused (no edns)"
ret=0
$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null && ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null && ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -120,9 +120,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: address allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -133,10 +133,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: address not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -147,10 +147,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: address disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -161,9 +161,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: acl allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -174,14 +174,13 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: acl not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# Test 9 - acl disallowed, query refused
n=$((n + 1))
copy_setports ns2/named09.conf.in ns2/named.conf
@ -189,10 +188,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: acl disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -203,9 +202,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -216,10 +215,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -230,10 +229,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -247,9 +246,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views default - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -260,9 +259,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views explicit any - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -273,10 +272,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views none - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -287,9 +286,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views address allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -300,10 +299,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views address not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -314,10 +313,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views address disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -328,9 +327,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views acl allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -341,10 +340,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views acl not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -355,10 +354,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views acl disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -369,9 +368,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -382,10 +381,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -396,10 +395,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -410,9 +409,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views allow - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -423,10 +422,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views disallow - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -441,9 +440,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: zone default - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -451,9 +450,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone explicit any - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.any.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -461,10 +460,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone none - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.none.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -472,9 +471,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone address allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.addrallow.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -482,10 +481,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone address not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.addrnotallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -493,10 +492,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone address disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.addrdisallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -504,9 +503,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone acl allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.aclallow.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -514,10 +513,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone acl not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -525,10 +524,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone acl disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.acldisallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -536,9 +535,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone key allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -546,10 +545,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone key not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -557,10 +556,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: zone key disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -571,9 +570,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views allow - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -584,10 +583,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views disallow - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -598,9 +597,9 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: zones over views, views allow - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -611,10 +610,10 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: zones over views, views disallow - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -625,13 +624,13 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: zones over views, allow-query-on"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n > /dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.1.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.1.$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n >/dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -639,13 +638,13 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: default allow-recursion configuration"
ret=0
nextpart ns3/named.run > /dev/null
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1
nextpart ns3/named.run >/dev/null
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a >dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a >dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -653,12 +652,12 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test $n: default allow-query-cache configuration"
ret=0
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . >dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . >dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -670,14 +669,14 @@ rndc_reload ns3 10.53.0.3
echo_i "test $n: block recursion-on, allow query-cache-on"
ret=0
# this should query the cache, and an answer should already be there
$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1
grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1
grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
# this should require recursion and therefore can't get an answer
$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 b.normal.example a >dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'ANSWER: 0' dig.out.ns3.2.$n >/dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -689,22 +688,22 @@ rndc_reload ns3 10.53.0.3
echo_i "test $n: inheritance of allow-query-cache-on"
ret=0
# this should query the cache, an answer should already be there
$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
# this should be refused due to allow-recursion-on/allow-query-cache-on
$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
# this should require recursion and should be allowed
$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 c.normal.example a >dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1
# this should require recursion and be refused
$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 d.normal.example a >dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -716,22 +715,22 @@ rndc_reload ns3 10.53.0.3
echo_i "test $n: inheritance of allow-recursion-on"
ret=0
# this should query the cache, an answer should already be there
$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
# this should be refused due to allow-recursion-on/allow-query-cache-on
$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1
# this should require recursion and should be allowed
$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1
# this should require recursion and be refused
$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))

142
bin/tests/system/auth/tests.sh
View file

@ -22,13 +22,11 @@ n=0
n=$((n + 1))
echo_i "wait for zones to finish transferring to ns2 ($n)"
for i in 1 2 3 4 5 6 7 8 9 10
do
for i in 1 2 3 4 5 6 7 8 9 10; do
ret=0
for zone in example.com example.net
do
$DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
for zone in example.com example.net; do
$DIG $DIGOPTS @10.53.0.2 soa $zone >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
done
[ $ret -eq 0 ] && break
sleep 1
@ -43,44 +41,44 @@ status=$((status + ret))
n=$((n + 1))
echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +norec @10.53.0.1 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +rec @10.53.0.1 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +norec @10.53.0.2 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -90,100 +88,100 @@ status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1
grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
n=$((n + 1))
echo_i "check that CHAOS addresses are compared correctly ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n
lines=$(wc -l < dig.out.test$n)
$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos >dig.out.test$n
lines=$(wc -l <dig.out.test$n)
[ ${lines:-0} -eq 2 ] || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))

26
bin/tests/system/autosign/ns1/keygen.sh
View file

@ -17,9 +17,9 @@ zone=.
zonefile=root.db
infile=root.db.in
(cd ../ns2 && $SHELL keygen.sh )
(cd ../ns2 && $SHELL keygen.sh)
cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. > $zonefile
cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. >$zonefile
zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
@ -34,20 +34,20 @@ rm $zsknopriv.private
ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone)
kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone)
keyfile_to_static_ds $ksksby > trusted.conf
keyfile_to_static_ds $ksksby >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
keyfile_to_static_ds $kskrev > trusted.conf
keyfile_to_static_ds $kskrev >trusted.conf
cp trusted.conf ../ns5/trusted.conf
echo $zskact > ../active.key
echo $zskvanish > ../vanishing.key
echo $zskdel > ../del.key
echo $zskinact > ../inact.key
echo $zskunpub > ../unpub.key
echo $zsknopriv > ../nopriv.key
echo $zsksby > ../standby.key
echo $zskactnowpub1d > ../activate-now-publish-1day.key
$REVOKE -R $kskrev > ../rev.key
echo $zskact >../active.key
echo $zskvanish >../vanishing.key
echo $zskdel >../del.key
echo $zskinact >../inact.key
echo $zskunpub >../unpub.key
echo $zsknopriv >../nopriv.key
echo $zsksby >../standby.key
echo $zskactnowpub1d >../activate-now-publish-1day.key
$REVOKE -R $kskrev >../rev.key

36
bin/tests/system/autosign/ns2/keygen.sh
View file

@ -14,52 +14,50 @@
. ../../conf.sh
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && $SHELL keygen.sh )
(cd ../ns3 && $SHELL keygen.sh)
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \
nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
cdnskey-delete
do
cp ../ns3/dsset-$subdomain.example. .
nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
cdnskey-delete; do
cp ../ns3/dsset-$subdomain.example. .
done
# Create keys and pass the DS to the parent.
zone=example
zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile dsset-*.example. > $zonefile
cat $infile dsset-*.example. >$zonefile
kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
$DSFROMKEY $kskname.key > dsset-${zone}.
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
$DSFROMKEY $kskname.key >dsset-${zone}.
# Create keys for a private secure zone.
zone=private.secure.example
zonefile="${zone}.db"
infile="${zonefile}.in"
ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
keyfile_to_static_ds $ksk > private.conf
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
keyfile_to_static_ds $ksk >private.conf
cp private.conf ../ns4/private.conf
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >/dev/null
# Extract saved keys for the revoke-to-duplicate-key test
zone=bar
zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile > $zonefile
cat $infile >$zonefile
for i in Xbar.+013+59973.key Xbar.+013+59973.private \
Xbar.+013+60101.key Xbar.+013+60101.private
do
cp $i $(echo $i | sed s/X/K/)
Xbar.+013+60101.key Xbar.+013+60101.private; do
cp $i $(echo $i | sed s/X/K/)
done
$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
$DSFROMKEY Kbar.+013+60101.key > dsset-bar.
$KEYGEN -a ECDSAP256SHA256 -q $zone >/dev/null
$DSFROMKEY Kbar.+013+60101.key >dsset-bar.
# a zone with empty non-terminals.
zone=optout-with-ent
zonefile=optout-with-ent.db
infile=optout-with-ent.db.in
cat $infile > $zonefile
cat $infile >$zonefile
kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null

294
bin/tests/system/autosign/ns3/keygen.sh
View file

@ -15,43 +15,43 @@
SYSTESTDIR=autosign
dumpit () {
echo_d "${debug}: dumping ${1}"
cat "${1}" | cat_d
dumpit() {
echo_d "${debug}: dumping ${1}"
cat "${1}" | cat_d
}
setup () {
echo_i "setting up zone: $1"
debug="$1"
zone="$1"
zonefile="${zone}.db"
infile="${zonefile}.in"
n=$((${n:-0} + 1))
setup() {
echo_i "setting up zone: $1"
debug="$1"
zone="$1"
zonefile="${zone}.db"
infile="${zonefile}.in"
n=$((${n:-0} + 1))
}
setup secure.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# NSEC3/NSEC test zone
#
setup secure.nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# NSEC3/NSEC3 test zone
#
setup nsec3.nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# Jitter/NSEC3 test zone
@ -59,10 +59,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}.
setup jitter.nsec3.example
cp $infile $zonefile
count=1
while [ $count -le 1000 ]
do
echo "label${count} IN TXT label${count}" >> $zonefile
count=$((count + 1))
while [ $count -le 1000 ]; do
echo "label${count} IN TXT label${count}" >>$zonefile
count=$((count + 1))
done
# Don't create keys just yet, because the scenario we want to test
# is an unsigned zone that has a NSEC3PARAM record added with
@ -73,98 +72,100 @@ done
#
setup optout.nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A nsec3 zone (non-optout).
#
setup nsec3.example
cat $infile dsset-*.${zone}. > $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
cat $infile dsset-*.${zone}. >$zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# An NSEC3 zone, with NSEC3 parameters set prior to signing
#
setup autonsec3.example
cat $infile > $zonefile
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
echo $ksk > ../autoksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../autozsk.key
$DSFROMKEY $ksk.key > dsset-${zone}.
cat $infile >$zonefile
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
echo $ksk >../autoksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
echo $zsk >../autozsk.key
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# OPTOUT/NSEC test zone
#
setup secure.optout.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# OPTOUT/NSEC3 test zone
#
setup nsec3.optout.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# OPTOUT/OPTOUT test zone
#
setup optout.optout.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A optout nsec3 zone.
#
setup optout.example
cat $infile dsset-*.${zone}. > $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
cat $infile dsset-*.${zone}. >$zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A RSASHA256 zone.
#
setup rsasha256.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA256 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A RSASHA512 zone.
#
setup rsasha512.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA512 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# NSEC-only zone. A zone using NSEC-only DNSSEC algorithms.
# None of these algorithms are supported for signing in FIPS mode
# as they are MD5 and SHA1 based.
#
if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
then
setup nsec-only.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
if (
cd ..
$SHELL ../testcrypto.sh -q RSASHA1
); then
setup nsec-only.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
else
echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
fi
#
@ -174,52 +175,51 @@ fi
setup oldsigs.example
cp $infile $zonefile
count=1
while [ $count -le 1000 ]
do
echo "label${count} IN TXT label${count}" >> $zonefile
count=$((count + 1))
while [ $count -le 1000 ]; do
echo "label${count} IN TXT label${count}" >>$zonefile
count=$((count + 1))
done
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile >s.out || dumpit s.out
mv $zonefile.signed $zonefile
#
# NSEC3->NSEC transition test zone.
#
setup nsec3-to-nsec.example
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
#
# secure-to-insecure transition test zone; used to test removal of
# keys via nsupdate
#
setup secure-to-insecure.example
$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -q $zone >kg.out 2>&1 || dumpit kg.out
$SIGNER -S -o $zone -f $zonefile $infile >s.out || dumpit s.out
#
# another secure-to-insecure transition test zone; used to test
# removal of keys on schedule.
#
setup secure-to-insecure2.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
echo $ksk > ../del1.key
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../del2.key
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
echo $ksk >../del1.key
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
echo $zsk >../del2.key
$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
#
# Introducing a pre-published key test.
#
setup prepub.example
infile="secure-to-insecure2.example.db.in"
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
#
# Key TTL tests.
@ -227,46 +227,46 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
# no default key TTL; DNSKEY should get SOA TTL
setup ttl1.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
cp $infile $zonefile
# default key TTL should be used
setup ttl2.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
cp $infile $zonefile
# mismatched key TTLs, should use shortest
setup ttl3.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
cp $infile $zonefile
# existing DNSKEY RRset, should retain TTL
setup ttl4.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
cat ${infile} K${zone}.+*.key > $zonefile
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone >kg.out 2>&1 || dumpit kg.out
cat ${infile} K${zone}.+*.key >$zonefile
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone >kg.out 2>&1 || dumpit kg.out
#
# A zone with a DNSKEY RRset that is published before it's activated
#
setup delay.example
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
echo $ksk > ../delayksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../delayzsk.key
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
echo $ksk >../delayksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
echo $zsk >../delayzsk.key
#
# A zone with signatures that are already expired, and the private KSK
# is missing.
#
setup noksk.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $ksk > ../noksk-ksk.key
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
echo $ksk >../noksk-ksk.key
rm -f ${ksk}.private
#
@ -274,11 +274,11 @@ rm -f ${ksk}.private
# is missing.
#
setup nozsk.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $ksk > ../nozsk-ksk.key
echo $zsk > ../nozsk-zsk.key
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
echo $ksk >../nozsk-ksk.key
echo $zsk >../nozsk-zsk.key
rm -f ${zsk}.private
#
@ -286,77 +286,77 @@ rm -f ${zsk}.private
# is inactive.
#
setup inaczsk.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $ksk > ../inaczsk-ksk.key
echo $zsk > ../inaczsk-zsk.key
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
echo $ksk >../inaczsk-ksk.key
echo $zsk >../inaczsk-zsk.key
$SETTIME -I now $zsk >st.out 2>&1 || dumpit st.out
#
# A zone that is set to 'auto-dnssec maintain' during a reconfig
#
setup reconf.example
cp secure.example.db.in $zonefile
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
#
# A zone which generates CDS and CDNSEY RRsets automatically
#
setup sync.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
echo ns3/$ksk > ../sync.key
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
echo ns3/$ksk >../sync.key
#
# A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly
#
setup kskonly.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A zone that has a published inactive key that is autosigned.
#
setup inacksk2.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A zone that has a published inactive key that is autosigned.
#
setup inaczsk2.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A zone that starts with a active KSK + ZSK and a inactive ZSK.
#
setup inacksk3.example
cp $infile $zonefile
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone >kg.out 2>&1 || dumpit kg.out
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A zone that starts with a active KSK + ZSK and a inactive ZSK.
#
setup inaczsk3.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# A zone that starts with an active KSK + ZSK and an inactive ZSK, with the
@ -364,28 +364,28 @@ $DSFROMKEY $ksk.key > dsset-${zone}.
#
setup delzsk.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out
echo $zsk > ../delzsk.key
echo $zsk >../delzsk.key
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
#
setup dname-at-apex-nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# Check that dynamically added CDS (DELETE) is kept in the zone after signing.
#
setup cds-delete.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.
#
# Check that dynamically added CDNSKEY (DELETE) is kept in the zone after
@ -393,6 +393,6 @@ $DSFROMKEY $ksk.key > dsset-${zone}.
#
setup cdnskey-delete.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}.

1071
bin/tests/system/autosign/tests.sh
View file

File diff suppressed because it is too large Load diff

145
bin/tests/system/builtin/tests.sh
View file

@ -126,41 +126,47 @@ n=$((n + 1))
ret=0
count=0
echo_i "Checking expected empty zones were configured ($n)"
for zone in ${emptyzones}
do
grep "automatic empty zone: $zone" ns1/named.run > /dev/null || {
echo_i "failed (empty zone $zone missing)"
ret=1
}
count=$((count + 1))
for zone in ${emptyzones}; do
grep "automatic empty zone: $zone" ns1/named.run >/dev/null || {
echo_i "failed (empty zone $zone missing)"
ret=1
}
count=$((count + 1))
done
lines=$(grep "automatic empty zone: " ns1/named.run | wc -l)
test $count -eq $lines -a $count -eq 99 || {
ret=1; echo_i "failed (count mismatch)";
ret=1
echo_i "failed (count mismatch)"
}
if [ $ret != 0 ] ; then status=$((status + ret)); fi
if [ $ret != 0 ]; then status=$((status + ret)); fi
n=$((n + 1))
echo_i "Checking that reconfiguring empty zones is silent ($n)"
$RNDCCMD 10.53.0.1 reconfig
ret=0
grep "automatic empty zone" ns1/named.run > /dev/null || ret=1
grep "received control channel command 'reconfig'" ns1/named.run > /dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1
grep "automatic empty zone" ns1/named.run >/dev/null || ret=1
grep "received control channel command 'reconfig'" ns1/named.run >/dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1
sleep 1
grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
echo_i "Checking that reloading empty zones is silent ($n)"
rndc_reload ns1 10.53.0.1
ret=0
grep "automatic empty zone" ns1/named.run > /dev/null || ret=1
grep "received control channel command 'reload'" ns1/named.run > /dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1
grep "automatic empty zone" ns1/named.run >/dev/null || ret=1
grep "received control channel command 'reload'" ns1/named.run >/dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1
sleep 1
grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
HOST_NAME=$($FEATURETEST --gethostname)
BIND_VERSION_STRING=$($NAMED -V | head -1)
@ -169,80 +175,113 @@ BIND_VERSION=$($NAMED -V | sed -ne 's/^BIND \([^ ]*\).*/\1/p')
n=$((n + 1))
ret=0
echo_i "Checking that default version works for rndc ($n)"
$RNDCCMD 10.53.0.1 status > rndc.status.ns1.$n 2>&1
grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$RNDCCMD 10.53.0.1 status >rndc.status.ns1.$n 2>&1
grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that custom version works for rndc ($n)"
$RNDCCMD 10.53.0.3 status > rndc.status.ns3.$n 2>&1
grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$RNDCCMD 10.53.0.3 status >rndc.status.ns3.$n 2>&1
grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that default version works for query ($n)"
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1
grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1
grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that custom version works for query ($n)"
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1
grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1
grep "^\"this is a test of version\"$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that default hostname works for query ($n)"
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1
grep "^\"$HOST_NAME\"$" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1
grep "^\"$HOST_NAME\"$" dig.out.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that custom hostname works for query ($n)"
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1
grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1
grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that default server-id is none for query ($n)"
$DIG $DIGOPTS id.server txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1
grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS id.server txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1
grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that server-id hostname works for query ($n)"
$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 > dig.out.ns2.$n || ret=1
grep "^\"$HOST_NAME\"$" dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 >dig.out.ns2.$n || ret=1
grep "^\"$HOST_NAME\"$" dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that server-id hostname works for EDNS name server ID request ($n)"
$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 > dig.out.ns2.$n || ret=1
grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 >dig.out.ns2.$n || ret=1
grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that custom server-id works for query ($n)"
$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1
grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1
grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
n=$((n + 1))
ret=0
echo_i "Checking that custom server-id works for EDNS name server ID request ($n)"
$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 > dig.out.ns3.$n || ret=1
grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi
$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 >dig.out.ns3.$n || ret=1
grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status + ret))
fi
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

108
bin/tests/system/cacheclean/tests.sh
View file

@ -23,12 +23,12 @@ DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm \
+nostat @10.53.0.2 -p ${PORT}"
# fill the cache with nodes from flushtest.example zone
load_cache () {
# empty all existing cache data
$RNDC $RNDCOPTS flush
load_cache() {
# empty all existing cache data
$RNDC $RNDCOPTS flush
# load the positive cache entries
$DIG $DIGOPTS -f - << EOF > /dev/null 2>&1
# load the positive cache entries
$DIG $DIGOPTS -f - <<EOF >/dev/null 2>&1
txt top1.flushtest.example
txt second1.top1.flushtest.example
txt third1.second1.top1.flushtest.example
@ -47,42 +47,42 @@ txt third2.second2.top3.flushtest.example
txt second3.top3.flushtest.example
EOF
# load the negative cache entries
# nxrrset:
$DIG $DIGOPTS a third1.second1.top1.flushtest.example > /dev/null
# nxdomain:
$DIG $DIGOPTS txt top4.flushtest.example > /dev/null
# empty nonterminal:
$DIG $DIGOPTS txt second2.top3.flushtest.example > /dev/null
# load the negative cache entries
# nxrrset:
$DIG $DIGOPTS a third1.second1.top1.flushtest.example >/dev/null
# nxdomain:
$DIG $DIGOPTS txt top4.flushtest.example >/dev/null
# empty nonterminal:
$DIG $DIGOPTS txt second2.top3.flushtest.example >/dev/null
# sleep 2 seconds ensure the TTLs will be lower on cached data
sleep 2
# sleep 2 seconds ensure the TTLs will be lower on cached data
sleep 2
}
dump_cache () {
rndc_dumpdb ns2 -cache _default
dump_cache() {
rndc_dumpdb ns2 -cache _default
}
clear_cache () {
$RNDC $RNDCOPTS flush
clear_cache() {
$RNDC $RNDCOPTS flush
}
in_cache () {
ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}')
[ -z "$ttl" ] && {
ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}')
[ "$ttl" -ge 3599 ] && return 1
return 0
}
[ "$ttl" -ge 3599 ] && return 1
return 0
in_cache() {
ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}')
[ -z "$ttl" ] && {
ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}')
[ "$ttl" -ge 3599 ] && return 1
return 0
}
[ "$ttl" -ge 3599 ] && return 1
return 0
}
# Extract records at and below name "$1" from the cache dump in file "$2".
filter_tree () {
tree="$1"
file="$2"
perl -n -e '
filter_tree() {
tree="$1"
file="$2"
perl -n -e '
next if /^;/;
if (/'"$tree"'/ || (/^\t/ && $print)) {
$print = 1;
@ -95,7 +95,7 @@ filter_tree () {
n=$((n + 1))
echo_i "check correctness of routine cache cleaning ($n)"
$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch > dig.out.ns2 || status=1
$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch >dig.out.ns2 || status=1
digcomp --lc dig.out.ns2 knowngood.dig.out || status=1
@ -103,7 +103,10 @@ n=$((n + 1))
echo_i "only one tcp socket was used ($n)"
tcpclients=$(awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l)
test $tcpclients -eq 1 || { status=1; echo_i "failed"; }
test $tcpclients -eq 1 || {
status=1
echo_i "failed"
}
n=$((n + 1))
echo_i "reset and check that records are correctly cached initially ($n)"
@ -111,7 +114,10 @@ ret=0
load_cache
dump_cache
nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l)
[ $nrecords -eq 18 ] || { ret=1; echo_i "found $nrecords records expected 18"; }
[ $nrecords -eq 18 ] || {
ret=1
echo_i "found $nrecords records expected 18"
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -205,7 +211,10 @@ echo_i "check the number of cached records remaining ($n)"
ret=0
dump_cache
nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l)
[ $nrecords -eq 17 ] || { ret=1; echo_i "found $nrecords records expected 17"; }
[ $nrecords -eq 17 ] || {
ret=1
echo_i "found $nrecords records expected 17"
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -223,7 +232,10 @@ echo_i "check the number of cached records remaining ($n)"
ret=0
dump_cache
nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l)
[ $nrecords -eq 1 ] || { ret=1; echo_i "found $nrecords records expected 1"; }
[ $nrecords -eq 1 ] || {
ret=1
echo_i "found $nrecords records expected 1"
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -234,34 +246,34 @@ load_cache
dump_cache
mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.a
sed -n '/plain success\/timeout/,/Unassociated entries/p' \
ns2/named_dump.db.test$n.a > sed.out.$n.a
grep 'plain success/timeout' sed.out.$n.a > /dev/null 2>&1 || ret=1
grep 'Unassociated entries' sed.out.$n.a > /dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.a > /dev/null 2>&1 || ret=1
ns2/named_dump.db.test$n.a >sed.out.$n.a
grep 'plain success/timeout' sed.out.$n.a >/dev/null 2>&1 || ret=1
grep 'Unassociated entries' sed.out.$n.a >/dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.a >/dev/null 2>&1 || ret=1
$RNDC $RNDCOPTS flushtree flushtest.example || ret=1
dump_cache
mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.b
sed -n '/plain success\/timeout/,/Unassociated entries/p' \
ns2/named_dump.db.test$n.b > sed.out.$n.b
grep 'plain success/timeout' sed.out.$n.b > /dev/null 2>&1 || ret=1
grep 'Unassociated entries' sed.out.$n.b > /dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.b > /dev/null 2>&1 && ret=1
ns2/named_dump.db.test$n.b >sed.out.$n.b
grep 'plain success/timeout' sed.out.$n.b >/dev/null 2>&1 || ret=1
grep 'Unassociated entries' sed.out.$n.b >/dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.b >/dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check expire option returned from primary zone ($n)"
ret=0
$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test > dig.out.expire || ret=1
grep EXPIRE: dig.out.expire > /dev/null || ret=1
$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test >dig.out.expire || ret=1
grep EXPIRE: dig.out.expire >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check expire option returned from secondary zone ($n)"
ret=0
$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test > dig.out.expire || ret=1
grep EXPIRE: dig.out.expire > /dev/null || ret=1
$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test >dig.out.expire || ret=1
grep EXPIRE: dig.out.expire >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))

58
bin/tests/system/case/tests.sh
View file

@ -18,9 +18,9 @@ set -e
DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
wait_for_serial() (
$DIG $DIGOPTS "@$1" "$2" SOA > "$4"
serial=$(awk '$4 == "SOA" { print $7 }' "$4")
[ "$3" -eq "${serial:--1}" ]
$DIG $DIGOPTS "@$1" "$2" SOA >"$4"
serial=$(awk '$4 == "SOA" { print $7 }' "$4")
[ "$3" -eq "${serial:--1}" ]
)
status=0
@ -29,25 +29,23 @@ n=0
n=$((n + 1))
echo_i "waiting for zone transfer to complete ($n)"
ret=0
for i in 1 2 3 4 5 6 7 8 9
do
$DIG $DIGOPTS soa example. @10.53.0.2 > dig.ns2.test$n || true
grep SOA dig.ns2.test$n > /dev/null && break
sleep 1
for i in 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS soa example. @10.53.0.2 >dig.ns2.test$n || true
grep SOA dig.ns2.test$n >/dev/null && break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9
do
$DIG $DIGOPTS soa dynamic. @10.53.0.2 > dig.ns2.test$n || true
grep SOA dig.ns2.test$n > /dev/null && break
sleep 1
for i in 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS soa dynamic. @10.53.0.2 >dig.ns2.test$n || true
grep SOA dig.ns2.test$n >/dev/null && break
sleep 1
done
n=$((n + 1))
echo_i "testing case preserving responses - no acl ($n)"
ret=0
$DIG $DIGOPTS mx example. @10.53.0.1 > dig.ns1.test$n || ret=1
grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS mx example. @10.53.0.1 >dig.ns1.test$n || ret=1
grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1
test $ret -eq 0 || echo_i "failed"
status=$((status + ret))
@ -56,14 +54,14 @@ echo_i "testing no-case-compress acl '{ 10.53.0.2; }' ($n)"
ret=0
# check that we preserve zone case for non-matching query (10.53.0.1)
$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 > dig.ns1.test$n || ret=1
grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 >dig.ns1.test$n || ret=1
grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1
# check that we don't preserve zone case for match (10.53.0.2)
$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 > dig.ns2.test$n || ret=1
grep "0.mail.example" dig.ns2.test$n > /dev/null || ret=1
grep "mail.example" dig.ns2.test$n > /dev/null || ret=1
$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 >dig.ns2.test$n || ret=1
grep "0.mail.example" dig.ns2.test$n >/dev/null || ret=1
grep "mail.example" dig.ns2.test$n >/dev/null || ret=1
test $ret -eq 0 || echo_i "failed"
status=$((status + ret))
@ -71,7 +69,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "testing load of dynamic zone with various \$ORIGIN values ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1
digcomp dig.ns1.test$n dynamic.good || ret=1
test $ret -eq 0 || echo_i "failed"
@ -80,7 +78,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "transfer of dynamic zone with various \$ORIGIN values ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1
digcomp dig.ns2.test$n dynamic.good || ret=1
test $ret -eq 0 || echo_i "failed"
@ -88,13 +86,13 @@ status=$((status + ret))
n=$((n + 1))
echo_i "change SOA owner case via update ($n)"
$NSUPDATE << EOF
$NSUPDATE <<EOF
server 10.53.0.1 ${PORT}
zone dynamic
update add dYNAMIc 0 SOA mname1. . 2000042408 20 20 1814400 3600
send
EOF
$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1
digcomp dig.ns1.test$n postupdate.good || ret=1
test $ret -eq 0 || echo_i "failed"
@ -111,7 +109,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "check SOA owner case is transferred to secondary ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1
digcomp dig.ns2.test$n postupdate.good || ret=1
test $ret -eq 0 || echo_i "failed"
@ -120,13 +118,13 @@ status=$((status + ret))
#update delete Ns1.DyNaMIC. 300 IN A 10.53.0.1
n=$((n + 1))
echo_i "change A record owner case via update ($n)"
$NSUPDATE << EOF
$NSUPDATE <<EOF
server 10.53.0.1 ${PORT}
zone dynamic
update add Ns1.DyNaMIC. 300 IN A 10.53.0.1
send
EOF
$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1
digcomp dig.ns1.test$n postns1.good || ret=1
test $ret -eq 0 || echo_i "failed"
@ -143,7 +141,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "check A owner case is transferred to secondary ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1
$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1
digcomp dig.ns2.test$n postns1.good || ret=1
status=$((status + ret))

1829
bin/tests/system/catz/tests.sh
View file

File diff suppressed because it is too large Load diff

48
bin/tests/system/cds/setup.sh
View file

@ -39,22 +39,22 @@ id2=$id2
EOF
tac() {
$PERL -e 'print reverse <>'
$PERL -e 'print reverse <>'
}
convert() {
key=$1
n=$2
$DSFROMKEY -12 $key >DS.$n
grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1
grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2
sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
sed 's/ IN DS / IN CDS /' <DS.$n-1 >>CDS.$n-1
sed 's/ IN DS / IN CDS /' <DS.$n-2 >>CDS.$n-2
sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
tac <DS.$n >DS.rev$n
key=$1
n=$2
$DSFROMKEY -12 $key >DS.$n
grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1
grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2
sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
sed 's/ IN DS / IN CDS /' <DS.$n-1 >>CDS.$n-1
sed 's/ IN DS / IN CDS /' <DS.$n-2 >>CDS.$n-2
sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
tac <DS.$n >DS.rev$n
}
convert $key1 1
convert $key2 2
@ -86,9 +86,9 @@ cat UP.add2 UP.del1 | sed 3d >UP.swap
sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl
sign() {
cat >db.$1
$SIGNER >/dev/null \
-S -O full -o $Z -f sig.$1 db.$1
cat >db.$1
$SIGNER >/dev/null \
-S -O full -o $Z -f sig.$1 db.$1
}
sign null <<EOF
@ -121,18 +121,18 @@ cat db.null CDS.2-1 | sign cds.2.sha1
cat db.null CDS.2-1 CDNSKEY.2 | sign cds.cdnskey.2.sha1
$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \
<sig.cds.1 >brk.rrsig.cds.zsk
<sig.cds.1 >brk.rrsig.cds.zsk
$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \
<sig.cds.1 >brk.rrsig.cds.ksk
<sig.cds.1 >brk.rrsig.cds.ksk
$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 |
sign cds-mangled
$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 \
| sign cds-mangled
bad=$($PERL -le "print ($id1 ^ 255);")
sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 |
sign bad-digests
sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 \
| sign bad-digests
sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 |
sign bad-algos
sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 \
| sign bad-algos
rm -f dsset-*

66
bin/tests/system/cds/tests.sh
View file

@ -18,49 +18,53 @@ set -e
status=0
n=0
fail() {
echo_i "failed"
status=$((status + 1))
echo_i "failed"
status=$((status + 1))
}
runcmd() {
("$@" 1> out.$n 2> err.$n; echo $?) || true
(
"$@" 1>out.$n 2>err.$n
echo $?
) || true
}
testcase() {
n=$((n + 1))
echo_i "$name ($n)"
expect=$1
shift
result=$(runcmd "$@")
check_stdout
check_stderr
if [ "$expect" -ne "$result" ]; then
echo_d "exit status does not match $expect"
fail
fi
unset name err out
n=$((n + 1))
echo_i "$name ($n)"
expect=$1
shift
result=$(runcmd "$@")
check_stdout
check_stderr
if [ "$expect" -ne "$result" ]; then
echo_d "exit status does not match $expect"
fail
fi
unset name err out
}
check_stderr() {
if [ -n "${err:=}" ]; then
grep -E "$err" err.$n >/dev/null && return 0
echo_d "stderr did not match '$err'"
else
[ -s err.$n ] || return 0
fi
cat err.$n | cat_d
fail
if [ -n "${err:=}" ]; then
grep -E "$err" err.$n >/dev/null && return 0
echo_d "stderr did not match '$err'"
else
[ -s err.$n ] || return 0
fi
cat err.$n | cat_d
fail
}
check_stdout() {
diff out.$n "${out:-empty}" >/dev/null && return
echo_d "stdout did not match '$out'"
( echo "wanted"
cat "$out"
echo "got"
cat out.$n
) | cat_d
fail
diff out.$n "${out:-empty}" >/dev/null && return
echo_d "stdout did not match '$out'"
(
echo "wanted"
cat "$out"
echo "got"
cat out.$n
) | cat_d
fail
}
Z=cds.test

10
bin/tests/system/chain/ns2/sign.sh
View file

@ -19,7 +19,7 @@ signedfile=example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-secure.example.
zonefile=wildcard-secure.db
@ -27,7 +27,7 @@ signedfile=wildcard-secure.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-nsec.example.
zonefile=wildcard.db
@ -35,7 +35,7 @@ signedfile=wildcard-nsec.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-nsec3.example.
zonefile=wildcard.db
@ -43,7 +43,7 @@ signedfile=wildcard-nsec3.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-nsec3-optout.example.
zonefile=wildcard.db
@ -51,4 +51,4 @@ signedfile=wildcard-nsec3-optout.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile >/dev/null

21
bin/tests/system/chain/prereq.sh
View file

@ -13,22 +13,19 @@
. ../conf.sh
if ! ${PYTHON} -c 'import dns'
then
echo_i "python dns module is required"
exit 1
if ! ${PYTHON} -c 'import dns'; then
echo_i "python dns module is required"
exit 1
fi
if ! ${PERL} -MNet::DNS -e ''
then
echo_i "perl Net::DNS module is required"
exit 1
if ! ${PERL} -MNet::DNS -e ''; then
echo_i "perl Net::DNS module is required"
exit 1
fi
if ! ${PERL} -MNet::DNS::Nameserver -e ''
then
echo_i "perl Net::DNS::Nameserver module is required"
exit 1
if ! ${PERL} -MNet::DNS::Nameserver -e ''; then
echo_i "perl Net::DNS::Nameserver module is required"
exit 1
fi
exit 0

256
bin/tests/system/chain/tests.sh
View file

@ -19,7 +19,7 @@ DIGOPTS="-p ${PORT}"
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
sendcmd() {
send 10.53.0.4 "${EXTRAPORT1}"
send 10.53.0.4 "${EXTRAPORT1}"
}
status=0
@ -28,8 +28,8 @@ n=0
n=$((n + 1))
echo_i "checking short DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a > dig.out.ns2.short || ret=1
grep "status: NOERROR" dig.out.ns2.short > /dev/null || ret=1
$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a >dig.out.ns2.short || ret=1
grep "status: NOERROR" dig.out.ns2.short >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -37,16 +37,16 @@ n=$((n + 1))
echo_i "checking short DNAME from recursive ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a > dig.out.ns4.short || ret=1
grep "status: NOERROR" dig.out.ns4.short > /dev/null || ret=1
$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a >dig.out.ns4.short || ret=1
grep "status: NOERROR" dig.out.ns4.short >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking long DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a > dig.out.ns2.long || ret=1
grep "status: NOERROR" dig.out.ns2.long > /dev/null || ret=1
$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a >dig.out.ns2.long || ret=1
grep "status: NOERROR" dig.out.ns2.long >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -54,16 +54,16 @@ n=$((n + 1))
echo_i "checking long DNAME from recursive ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a > dig.out.ns4.long || ret=1
grep "status: NOERROR" dig.out.ns4.long > /dev/null || ret=1
$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a >dig.out.ns4.long || ret=1
grep "status: NOERROR" dig.out.ns4.long >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking (too) long DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a > dig.out.ns2.toolong || ret=1
grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a >dig.out.ns2.toolong || ret=1
grep "status: YXDOMAIN" dig.out.ns2.toolong >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -71,9 +71,9 @@ n=$((n + 1))
echo_i "checking (too) long DNAME from recursive with cached DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a > dig.out.ns4.cachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1
grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a >dig.out.ns4.cachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong >/dev/null || ret=1
grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -81,50 +81,50 @@ n=$((n + 1))
echo_i "checking (too) long DNAME from recursive without cached DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a > dig.out.ns4.uncachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1
grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a >dig.out.ns4.uncachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong >/dev/null || ret=1
grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
find_records() {
owner_name="$1"
rr_type="$2"
file="$3"
awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' < "$file"
owner_name="$1"
rr_type="$2"
file="$3"
awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' <"$file"
}
count_records() {
owner_name="$1"
rr_type="$2"
file="$3"
find_records "$owner_name" "$rr_type" "$file" | wc -l
owner_name="$1"
rr_type="$2"
file="$3"
find_records "$owner_name" "$rr_type" "$file" | wc -l
}
exactly_one_record_exists_for() {
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1
}
no_records_exist_for() {
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0
}
ensure_no_ds_in_bitmap() {
owner_name="$1"
rr_type="$2"
file="$3"
case "$rr_type" in
NSEC) start_index=6 ;;
NSEC3) start_index=10 ;;
*) exit 1 ;;
esac
find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }'
owner_name="$1"
rr_type="$2"
file="$3"
case "$rr_type" in
NSEC) start_index=6 ;;
NSEC3) start_index=10 ;;
*) exit 1 ;;
esac
find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }'
}
n=$((n + 1))
@ -132,7 +132,7 @@ echo_i "checking secure delegation prepared using CNAME chaining ($n)"
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# DS RRset.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains the expected NS and DS RRsets.
exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1
exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1
@ -144,7 +144,7 @@ echo_i "checking secure delegation prepared using wildcard expansion + CNAME cha
ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset, an
# NSEC record proving nonexistence of QNAME, and a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains the expected NS and DS RRsets.
exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1
exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1
@ -161,7 +161,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC ($n)"
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# single NSEC record proving nonexistence of a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
@ -183,7 +183,7 @@ ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, these two NSEC records are different.
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
@ -206,7 +206,7 @@ ret=0
# NSEC records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, the same NSEC record proves nonexistence of both the
# QNAME and the DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
@ -247,7 +247,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 ($n)"
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# single NSEC3 record proving nonexistence of a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
@ -269,7 +269,7 @@ ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, these two NSEC3 records are different.
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
@ -292,7 +292,7 @@ ret=0
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, the same NSEC3 record proves nonexistence of both the
# QNAME and the DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
@ -336,7 +336,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 with o
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# single NSEC3 record proving nonexistence of a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
@ -357,7 +357,7 @@ ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, these two NSEC3 records are different.
$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
@ -379,7 +379,7 @@ ret=0
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, the same NSEC3 record proves nonexistence of both the
# QNAME and the DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
@ -397,8 +397,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking CNAME to DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS cname.example @10.53.0.2 a > dig.out.ns2.cname
grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
$DIG $DIGOPTS cname.example @10.53.0.2 a >dig.out.ns2.cname
grep "status: NOERROR" dig.out.ns2.cname >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -406,12 +406,12 @@ n=$((n + 1))
echo_i "checking CNAME to DNAME from recursive"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS cname.example @10.53.0.7 a > dig.out.ns4.cname
grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
$DIG $DIGOPTS cname.example @10.53.0.7 a >dig.out.ns4.cname
grep "status: NOERROR" dig.out.ns4.cname >/dev/null || ret=1
grep '^cname.example.' dig.out.ns4.cname >/dev/null || ret=1
grep '^cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1
grep '^a.cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1
grep '^a.target.example.' dig.out.ns4.cname >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -419,10 +419,10 @@ n=$((n + 1))
echo_i "checking DNAME is returned with synthesized CNAME before DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A > dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A >dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1
grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -430,11 +430,11 @@ n=$((n + 1))
echo_i "checking DNAME is returned with CNAME to synthesized CNAME before DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A > dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1
grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A >dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n >/dev/null || ret=1
grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1
grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -442,9 +442,9 @@ n=$((n + 1))
echo_i "checking CNAME loops are detected ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 17" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 loop.example >dig.out.test$n
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
grep "ANSWER: 17" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -452,9 +452,9 @@ n=$((n + 1))
echo_i "checking CNAME to external delegated zones is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 a.example > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 a.example >dig.out.test$n
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -462,9 +462,9 @@ n=$((n + 1))
echo_i "checking CNAME to internal delegated zones is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 b.example > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 b.example >dig.out.test$n
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -472,8 +472,8 @@ n=$((n + 1))
echo_i "checking CNAME to signed external delegation is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 c.example > dig.out.$n
grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 c.example >dig.out.$n
grep "status: NOERROR" dig.out.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -481,8 +481,8 @@ n=$((n + 1))
echo_i "checking CNAME to signed internal delegation is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 d.example > dig.out.$n
grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 d.example >dig.out.$n
grep "status: NOERROR" dig.out.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -491,39 +491,39 @@ echo_i "checking CNAME chains in various orders ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|1,1,2,2,3,4,s4,s3,s1" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|2,1,3,4,s3,s1,s2,s4" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.3.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.3.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 4 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.4.$n 2>&1
grep 'status: NOERROR' dig.out.4.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.4.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.4.$n 2>&1
grep 'status: NOERROR' dig.out.4.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.4.$n >/dev/null 2>&1 || ret=1
echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | sendcmd
$RNDCCMD 10.53.0.7 null --- start test$n - step 5 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.5.$n 2>&1
grep 'status: NOERROR' dig.out.5.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.5.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.5.$n 2>&1
grep 'status: NOERROR' dig.out.5.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.5.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 6 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|4,3,3,3,s1,s1,1,3,4" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.6.$n 2>&1
grep 'status: NOERROR' dig.out.6.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.6.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.6.$n 2>&1
grep 'status: NOERROR' dig.out.6.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.6.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -533,9 +533,9 @@ ret=0
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | sendcmd
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
sleep 1
$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil > dig.out.2.$n 2>&1
$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil >dig.out.2.$n 2>&1
ttl=$(awk '{print $2}' dig.out.2.$n)
[ "$ttl" -eq 86400 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -547,21 +547,21 @@ ret=0
$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.1.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.1.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.2.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "dname,dname|2,3,s1,s2,s3,s4,1" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.3.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.3.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -571,20 +571,20 @@ echo_i "checking external CNAME/DNAME chains in various orders ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
echo "xname,dname|1,2,3,4,s1,s2,s3,s4" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "xname,dname|s2,2,s1,1,4,s4,3" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "xname,dname|s2,2,2,2" | sendcmd
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
grep 'status: SERVFAIL' dig.out.3.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1
grep 'status: SERVFAIL' dig.out.3.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -593,8 +593,8 @@ n=$((n + 1))
echo_i "checking explicit DNAME query ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 dname short-dname.example >dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -603,8 +603,8 @@ echo_i "checking DNAME via ANY query ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 any short-dname.example >dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -612,8 +612,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking DNAME resolution via itself (authoritative) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -621,8 +621,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking DNAME resolution via itself (recursive) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. >dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))

669
bin/tests/system/checkconf/tests.sh
View file

File diff suppressed because it is too large Load diff

12
bin/tests/system/checkds/ns1/setup.sh
View file

@ -31,16 +31,16 @@ cp "$zsk.key" "../ns10/"
cp "$ksk.private" "../ns10/"
cp "$zsk.private" "../ns10/"
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
(
cd ../ns10
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
cd ../ns10
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
)
# Configure the resolving server with a static key.
keyfile_to_static_ds "$ksk" > trusted.conf
keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns8/trusted.conf

21
bin/tests/system/checkds/ns2/setup.sh
View file

@ -17,20 +17,19 @@
echo_i "ns2/setup.sh"
for subdomain in dspublished reference missing-dspublished bad-dspublished \
multiple-dspublished incomplete-dspublished bad2-dspublished \
resolver-dspublished \
dswithdrawn missing-dswithdrawn bad-dswithdrawn \
multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \
resolver-dswithdrawn
do
cp "../ns9/dsset-$subdomain.checkds." .
multiple-dspublished incomplete-dspublished bad2-dspublished \
resolver-dspublished \
dswithdrawn missing-dswithdrawn bad-dswithdrawn \
multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \
resolver-dswithdrawn; do
cp "../ns9/dsset-$subdomain.checkds." .
done
zone="checkds"
infile="checkds.db.infile"
zonefile="checkds.db"
CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone)
cat template.db.in "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1

8
bin/tests/system/checkds/ns5/setup.sh
View file

@ -20,7 +20,7 @@ zone="checkds"
infile="checkds.db.infile"
zonefile="checkds.db"
CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone)
cat template.db.in "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1

52
bin/tests/system/checkds/ns9/setup.sh
View file

@ -17,11 +17,11 @@
echo_i "ns9/setup.sh"
setup() {
zone="$1"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
echo "$zone" >> zones
zone="$1"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
echo "$zone" >>zones
}
# Short environment variable names for key states and times.
@ -34,30 +34,28 @@ Y="now-1y"
# DS Publication.
for zn in dspublished reference missing-dspublished bad-dspublished \
multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished
do
setup "${zn}.checkds"
cp template.db.in "$zonefile"
keytimes="-P $T -P sync $T -A $T"
CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
$SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished; do
setup "${zn}.checkds"
cp template.db.in "$zonefile"
keytimes="-P $T -P sync $T -A $T"
CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone)
$SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" >settime.out.$zone 2>&1
cat template.db.in "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
done
# DS Withdrawal.
for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \
incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn
do
setup "${zn}.checkds"
cp template.db.in "$zonefile"
keytimes="-P $Y -P sync $Y -A $Y"
CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
$SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn; do
setup "${zn}.checkds"
cp template.db.in "$zonefile"
keytimes="-P $Y -P sync $Y -A $Y"
CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone)
$SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" >settime.out.$zone 2>&1
cat template.db.in "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
done

16
bin/tests/system/checkds/setup.sh
View file

@ -31,18 +31,18 @@ copy_setports ns10/named.conf.in ns10/named.conf
# Setup zones
(
cd ns9
$SHELL setup.sh
cd ns9
$SHELL setup.sh
)
(
cd ns5
$SHELL setup.sh
cd ns5
$SHELL setup.sh
)
(
cd ns2
$SHELL setup.sh
cd ns2
$SHELL setup.sh
)
(
cd ns1
$SHELL setup.sh
cd ns1
$SHELL setup.sh
)

94
bin/tests/system/checknames/tests.sh
View file

@ -20,18 +20,18 @@ n=1
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}"
wait_for_record () {
$DIG $DIGOPTS "$1" "$2" "$3" > "$4" || return 1
grep NOERROR "$4" > /dev/null || return 1
return 0
wait_for_record() {
$DIG $DIGOPTS "$1" "$2" "$3" >"$4" || return 1
grep NOERROR "$4" >/dev/null || return 1
return 0
}
# Entry should exist.
echo_i "check for failure from on zone load for 'check-names fail;' ($n)"
ret=0
$DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1
grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
$DIG $DIGOPTS fail.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1
grep SERVFAIL dig.out.ns1.test$n >/dev/null || ret=1
grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -39,7 +39,7 @@ n=$((n + 1))
# Entry should exist.
echo_i "check for warnings from on zone load for 'check-names warn;' ($n)"
ret=0
grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -55,10 +55,10 @@ n=$((n + 1))
# Entry should exist
echo_i "check that 'check-names response warn;' works ($n)"
ret=0
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1
digcomp dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1
grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -66,11 +66,11 @@ n=$((n + 1))
# Entry should exist
echo_i "check that 'check-names response (owner) fails;' works ($n)"
ret=0
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1
grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
grep REFUSED dig.out.ns3.test$n >/dev/null || ret=1
grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -78,11 +78,11 @@ n=$((n + 1))
# Entry should exist
echo_i "check that 'check-names response (rdata) fails;' works ($n)"
ret=0
$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX > dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1
grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1
$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX >dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX >dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
grep SERVFAIL dig.out.ns3.test$n >/dev/null || ret=1
grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -90,31 +90,31 @@ n=$((n + 1))
echo_i "check that updates to 'check-names fail;' are rejected ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || not=0
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || not=0
check-names off
server 10.53.0.1 ${PORT}
update add xxx_xxx.fail.update. 600 A 10.10.10.1
send
END
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1
grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1
grep NXDOMAIN dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that updates to 'check-names warn;' succeed and are logged ($n)"
ret=0
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1|| ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.1 ${PORT}
update add xxx_xxx.warn.update. 600 A 10.10.10.1
send
END
$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1
grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -122,16 +122,16 @@ n=$((n + 1))
echo_i "check that updates to 'check-names ignore;' succeed and are not logged ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.1 ${PORT}
update add xxx_xxx.ignore.update. 600 A 10.10.10.1
send
END
grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0
grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run >/dev/null || not=0
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -139,16 +139,16 @@ n=$((n + 1))
echo_i "check that updates to 'check-names primary ignore;' succeed and are not logged ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.4 ${PORT}
update add xxx_xxx.primary-ignore.update. 600 A 10.10.10.1
send
END
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run > /dev/null || not=0
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run >/dev/null || not=0
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A > dig.out.ns4.test$n || ret=1
grep NOERROR dig.out.ns4.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A >dig.out.ns4.test$n || ret=1
grep NOERROR dig.out.ns4.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -156,26 +156,26 @@ n=$((n + 1))
echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.5 ${PORT}
update add xxx_xxx.master-ignore.update. 600 A 10.10.10.1
send
END
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run > /dev/null || not=0
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run >/dev/null || not=0
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A > dig.out.ns5.test$n || ret=1
grep NOERROR dig.out.ns5.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A >dig.out.ns5.test$n || ret=1
grep NOERROR dig.out.ns5.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
status=$((status + ret))
n=$((n + 1))
echo_i "check that updates to 'check-names secondary ignore;' succeed and are not logged ($n)"
ret=0
# takes a while for the transfer to succeed as ns5 (primary) is started after ns4 (secondary)
# and the zone is still loading when we get to this point.
retry_quiet 35 wait_for_record xxx_xxx.master-ignore.update @10.53.0.4 A dig.out.ns4.test$n || ret=1
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run > /dev/null && ret=1
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
@ -183,10 +183,10 @@ n=$((n + 1))
echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)"
ret=0
retry_quiet 35 wait_for_record xxx_xxx.primary-ignore.update @10.53.0.5 A dig.out.ns5.test$n || ret=1
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run > /dev/null && ret=1
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
status=$((status + ret))
n=$((n + 1))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

2
bin/tests/system/checkzone/setup.sh
View file

@ -16,6 +16,6 @@
ln -s $CHECKZONE named-compilezone
./named-compilezone -D -F raw -o good1.db.raw example \
zones/good1.db > /dev/null 2>&1
zones/good1.db >/dev/null 2>&1
copy_setports zones/bad-tsig.db.in zones/bad-tsig.db

178
bin/tests/system/checkzone/tests.sh
View file

@ -18,121 +18,119 @@ set -e
status=0
n=1
for db in zones/good*.db
do
echo_i "checking $db ($n)"
ret=0
case $db in
zones/good-gc-msdcs.db|zones/good-spf-exception.db)
$CHECKZONE -k fail -i local example $db > test.out.$n 2>&1 || ret=1
;;
zones/good-dns-sd-reverse.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || ret=1
;;
*)
$CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1
;;
esac
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
for db in zones/good*.db; do
echo_i "checking $db ($n)"
ret=0
case $db in
zones/good-gc-msdcs.db | zones/good-spf-exception.db)
$CHECKZONE -k fail -i local example $db >test.out.$n 2>&1 || ret=1
;;
zones/good-dns-sd-reverse.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || ret=1
;;
*)
$CHECKZONE -i local example $db >test.out.$n 2>&1 || ret=1
;;
esac
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
for db in zones/bad*.db
do
echo_i "checking $db ($n)"
ret=0 v=0
case $db in
zones/bad-dns-sd-reverse.db|zones/bad-svcb-servername.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || v=$?
;;
*)
$CHECKZONE -i local example $db > test.out.$n 2>&1 || v=$?
;;
esac
test $v = 1 || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
for db in zones/bad*.db; do
echo_i "checking $db ($n)"
ret=0 v=0
case $db in
zones/bad-dns-sd-reverse.db | zones/bad-svcb-servername.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || v=$?
;;
*)
$CHECKZONE -i local example $db >test.out.$n 2>&1 || v=$?
;;
esac
test $v = 1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
echo_i "checking with journal file ($n)"
ret=0
$CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -o test.orig.db test zones/test1.db >/dev/null 2>&1 || ret=1
$CHECKZONE -D -o test.changed.db test zones/test2.db >/dev/null 2>&1 || ret=1
$MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1
jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l)
[ $jlines = 3 ] || ret=1
$CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -j -o test.out1.db test test.orig.db >/dev/null 2>&1 || ret=1
cmp -s test.changed.db test.out1.db || ret=1
mv -f test.orig.db.jnl test.journal
$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db >/dev/null 2>&1 || ret=1
cmp -s test.changed.db test.out2.db || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking with spf warnings ($n)"
ret=0
$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1
$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1
grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1
grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1
grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1
grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1
grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1
grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1
n=$((n+1))
$CHECKZONE example zones/spf.db >test.out1.$n 2>&1 || ret=1
$CHECKZONE -T ignore example zones/spf.db >test.out2.$n 2>&1 || ret=1
grep "'x.example' found type SPF" test.out1.$n >/dev/null && ret=1
grep "'y.example' found type SPF" test.out1.$n >/dev/null || ret=1
grep "'example' found type SPF" test.out1.$n >/dev/null && ret=1
grep "'x.example' found type SPF" test.out2.$n >/dev/null && ret=1
grep "'y.example' found type SPF" test.out2.$n >/dev/null && ret=1
grep "'example' found type SPF" test.out2.$n >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking with max ttl (text) ($n)"
ret=0
$CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1
$CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1
n=$((n+1))
$CHECKZONE -l 300 example zones/good1.db >test.out1.$n 2>&1 && ret=1
$CHECKZONE -l 600 example zones/good1.db >test.out2.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking with max ttl (raw) ($n)"
ret=0
$CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1
$CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1
n=$((n+1))
$CHECKZONE -f raw -l 300 example good1.db.raw >test.out1.$n 2>&1 && ret=1
$CHECKZONE -f raw -l 600 example good1.db.raw >test.out2.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no new \$ORIGIN ($n)"
ret=0
$CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n > /dev/null && ret=1
n=$((n+1))
$CHECKZONE example zones/nowarn.inherited.owner.db >test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)"
ret=0
$CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n > /dev/null || ret=1
n=$((n+1))
$CHECKZONE example zones/warn.inherit.origin.db >test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)"
ret=0
$CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n > /dev/null || ret=1
n=$((n+1))
$CHECKZONE example zones/warn.inherited.owner.db >test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that raw zone with bad class is handled ($n)"
ret=0
$CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1
$CHECKZONE -f raw example zones/bad-badclass.raw >test.out.$n 2>&1 && ret=1
grep "failed: bad class" test.out.$n >/dev/null || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that expirations that loop using serial arithmetic are handled ($n)"
ret=0
@ -159,56 +157,56 @@ test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)"
ret=0
$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1
$CHECKZONE example.com zones/ns-address-below-dname.db >test.out.$n 2>&1 && ret=1
grep "is below a DNAME" test.out.$n >/dev/null || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)"
ret=0
$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1
$CHECKZONE example.com zones/delegating-ns-address-below-dname.db >test.out.$n 2>&1 || ret=1
grep "is below a DNAME" test.out.$n >/dev/null || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that named-compilezone works when reading input from stdin ($n)"
ret=0
# Step 1: take raw input from stdin and convert it to text/relative format.
# Last argument "-" is optional, but it says more explicitly that we're reading from stdin.
cat zones/zone1.db | ./named-compilezone -f text -F text -s relative \
-o zones/zone1_stdin.txt zone1.com - > /dev/null || ret=1
status=$((status+ret))
-o zones/zone1_stdin.txt zone1.com - >/dev/null || ret=1
status=$((status + ret))
ret=0
# Step 2: take raw input from file and convert it to text format.
./named-compilezone -f text -F text -s relative -o zones/zone1_file.txt \
zone1.com zones/zone1.db > /dev/null || ret=1
status=$((status+ret))
zone1.com zones/zone1.db >/dev/null || ret=1
status=$((status + ret))
ret=0
# Step 3: Ensure that output conversion from stdin is the same as the output conversion from a file.
diff zones/zone1_file.txt zones/zone1_stdin.txt >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
ret=0
echo_i "checking integer overflow is prevented in \$GENERATE ($n)"
$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1
$CHECKZONE -D example.com zones/generate-overflow.db >test.out.$n 2>&1 || ret=1
lines=$(grep -c CNAME test.out.$n)
echo $lines
[ "$lines" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

123
bin/tests/system/ckdnsrps.sh
View file

@ -18,7 +18,6 @@ set -e
# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf
# and differ from dnsrpz.conf which is used by dnsrpzd.
. ../conf.sh
DNSRPS_CMD=../rpz/dnsrps
@ -29,57 +28,64 @@ MCONF=dnsrps.conf
SCONF=dnsrps-secondary.conf
USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]"
while getopts "xADM:S:" c; do
case $c in
x) set -x; DEBUG=-x;;
A) AS_NS=yes;;
D) TEST_DNSRPS=yes;;
M) MCONF="$OPTARG";;
S) SCONF="$OPTARG";;
*) echo "$USAGE" 1>&2; exit 1;;
esac
case $c in
x)
set -x
DEBUG=-x
;;
A) AS_NS=yes ;;
D) TEST_DNSRPS=yes ;;
M) MCONF="$OPTARG" ;;
S) SCONF="$OPTARG" ;;
*)
echo "$USAGE" 1>&2
exit 1
;;
esac
done
shift $(expr $OPTIND - 1 || true)
if [ "$#" -ne 0 ]; then
echo "$USAGE" 1>&2
exit 1
echo "$USAGE" 1>&2
exit 1
fi
# erase any existing conf files
cat /dev/null > $MCONF
cat /dev/null > $SCONF
cat /dev/null >$MCONF
cat /dev/null >$SCONF
add_conf () {
echo "$*" >>$MCONF
echo "$*" >>$SCONF
add_conf() {
echo "$*" >>$MCONF
echo "$*" >>$SCONF
}
if ! $FEATURETEST --enable-dnsrps; then
if [ -n "$TEST_DNSRPS" ]; then
add_conf "## DNSRPS disabled at compile time"
fi
add_conf "#skip"
exit 0
if [ -n "$TEST_DNSRPS" ]; then
add_conf "## DNSRPS disabled at compile time"
fi
add_conf "#skip"
exit 0
fi
if [ -z "$TEST_DNSRPS" ]; then
add_conf "## testing with native RPZ"
add_conf '#skip'
exit 0
add_conf "## testing with native RPZ"
add_conf '#skip'
exit 0
else
add_conf "## testing with DNSRPS"
add_conf "## testing with DNSRPS"
fi
if [ ! -x "$DNSRPS_CMD" ]; then
add_conf "## make $DNSRPS_CMD to test DNSRPS"
add_conf '#skip'
exit 0
add_conf "## make $DNSRPS_CMD to test DNSRPS"
add_conf '#skip'
exit 0
fi
if $DNSRPS_CMD -a >/dev/null; then :
if $DNSRPS_CMD -a >/dev/null; then
:
else
add_conf "## DNSRPS provider library is not available"
add_conf '#skip'
exit 0
add_conf "## DNSRPS provider library is not available"
add_conf '#skip'
exit 0
fi
CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf
@ -90,7 +96,7 @@ CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf
PRIMARY="$CMN"
if [ -n "$AS_NS" ]; then
PRIMARY="$PRIMARY
PRIMARY="$PRIMARY
qname-as-ns yes
ip-as-ns yes"
fi
@ -106,7 +112,6 @@ $CMN
dnsrpzd '' }; # do not start dnsrpzd
EOF
# DNSRPS is available.
# The test should fail if the license is bad.
add_conf "dnsrps-enable yes;"
@ -117,49 +122,49 @@ ALT_L=alt-dnsrpzd-license.conf
# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist
[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf
if [ -s $ALT_L ]; then
SRC_L=$ALT_L
USE_ALT=
SRC_L=$ALT_L
USE_ALT=
else
SRC_L=../rpz/dnsrpzd-license.conf
USE_ALT="## consider installing alt-dnsrpzd-license.conf"
SRC_L=../rpz/dnsrpzd-license.conf
USE_ALT="## consider installing alt-dnsrpzd-license.conf"
fi
cp $SRC_L $CUR_L
# parse $CUR_L for the license zone name, primary IP addresses, and optional
# transfer-source IP addresses
eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\
-e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \
-e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \
-e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \
-e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \
-e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
-e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
$CUR_L`
eval $(sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' \
-e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \
-e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \
-e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \
-e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \
-e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
-e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
$CUR_L)
if [ -z "$NAME" ]; then
add_conf "## no DNSRPS tests; no license domain name in $SRC_L"
add_conf '#fail'
exit 0
add_conf "## no DNSRPS tests; no license domain name in $SRC_L"
add_conf '#fail'
exit 0
fi
if [ -z "$IPV4" ]; then
IPV4=license1.fastrpz.com
TS4=
IPV4=license1.fastrpz.com
TS4=
fi
if [ -z "$IPV6" ]; then
IPV6=license1.fastrpz.com
TS6=
IPV6=license1.fastrpz.com
TS6=
fi
# This TSIG key is common and NOT a secret
KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1'
# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems
if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \
| grep -i "^$NAME.*TXT" >/dev/null`; then
exit 0
if $($DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \
| grep -i "^$NAME.*TXT" >/dev/null); then
exit 0
fi
if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \
| grep -i "^$NAME.*TXT" >/dev/null`; then
exit 0
if $($DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \
| grep -i "^$NAME.*TXT" >/dev/null); then
exit 0
fi
add_conf "## DNSRPS lacks a valid license via $SRC_L"

18
bin/tests/system/cleanall.sh
View file

@ -17,20 +17,18 @@
. ./conf.sh
find . -type f \( \
-name '*~' -o -name 'core' -o -name '*.core' \
-o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \
-o -name named.run -o -name ans.run \
-o -name '*-valgrind-*.log' \) -print | xargs rm -f
-name '*~' -o -name 'core' -o -name '*.core' \
-o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \
-o -name named.run -o -name ans.run \
-o -name '*-valgrind-*.log' \) -print | xargs rm -f
status=0
rm -f ../random.data
for d in $SUBDIRS
do
test ! -f $d/clean.sh || ( cd $d && $SHELL clean.sh )
rm -f test.output.$d
test -d $d && find $d -type d -exec rmdir '{}' \; 2> /dev/null
for d in $SUBDIRS; do
test ! -f $d/clean.sh || (cd $d && $SHELL clean.sh)
rm -f test.output.$d
test -d $d && find $d -type d -exec rmdir '{}' \; 2>/dev/null
done

18
bin/tests/system/conf.sh.in
View file

@ -27,12 +27,12 @@ export ARPANAME=$TOP_BUILDDIR/bin/tools/arpaname
export CDS=$TOP_BUILDDIR/bin/dnssec/dnssec-cds
export CHECKCONF=$TOP_BUILDDIR/bin/check/named-checkconf
export CHECKZONE=$TOP_BUILDDIR/bin/check/named-checkzone
if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119
export DELV=$TOP_BUILDDIR/bin/delv/delv
export RESOLVE=$TOP_BUILDDIR/bin/tests/system/resolve
if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119
export DELV=$TOP_BUILDDIR/bin/delv/delv
export RESOLVE=$TOP_BUILDDIR/bin/tests/system/resolve
else
export DELV=:
export RESOLVE=:
export DELV=:
export RESOLVE=:
fi
export DIG=$TOP_BUILDDIR/bin/dig/dig
export DNSTAPREAD=$TOP_BUILDDIR/bin/tools/dnstap-read
@ -88,13 +88,13 @@ export PYTEST=@PYTEST@
#
export PERL=$(command -v "@PERL@" || true)
if ! test -x "$PERL"; then
echo "Perl interpreter is required for system tests."
exit 77
echo "Perl interpreter is required for system tests."
exit 77
fi
export PYTHON=$(command -v "@PYTHON@" || true)
if ! test -x "$PYTHON"; then
echo "Python interpreter is required for system tests."
exit 77
echo "Python interpreter is required for system tests."
exit 77
fi
# Load common values

7
bin/tests/system/cookie/prereq.sh
View file

@ -13,10 +13,9 @@
. ../conf.sh
if ! ${PYTHON} -c 'import dns'
then
echo_i "python dns module is required"
exit 1
if ! ${PYTHON} -c 'import dns'; then
echo_i "python dns module is required"
exit 1
fi
exit 0

395
bin/tests/system/cookie/tests.sh
View file

@ -22,81 +22,79 @@ status=0
n=0
getcookie() {
awk '$2 == "COOKIE:" {
awk '$2 == "COOKIE:" {
print $3;
}' < $1
}' <$1
}
fullcookie() {
awk 'BEGIN { n = 0 }
awk 'BEGIN { n = 0 }
// { v[n++] = length(); }
END { print (v[1] == v[2]); }'
}
havetc() {
grep 'flags:.* tc[^;]*;' $1 > /dev/null
grep 'flags:.* tc[^;]*;' $1 >/dev/null
}
for bad in bad*.conf
do
n=$((n + 1))
echo_i "checking that named-checkconf detects error in $bad ($n)"
ret=0
$CHECKCONF $bad > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
for bad in bad*.conf; do
n=$((n + 1))
echo_i "checking that named-checkconf detects error in $bad ($n)"
ret=0
$CHECKCONF $bad >/dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
for good in good*.conf
do
n=$((n + 1))
echo_i "checking that named-checkconf detects accepts $good ($n)"
ret=0
$CHECKCONF $good > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
for good in good*.conf; do
n=$((n + 1))
echo_i "checking that named-checkconf detects accepts $good ($n)"
ret=0
$CHECKCONF $good >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
n=$((n + 1))
echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)"
ret=0
$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n > /dev/null && ret=1
grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n >/dev/null && ret=1
grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)"
ret=0
$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking COOKIE token is returned to empty COOKIE option ($n)"
ret=0
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking COOKIE is not returned when answer-cookie is false ($n)"
ret=0
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 >dig.out.test$n || ret=1
grep COOKIE: dig.out.test$n >/dev/null && ret=1
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking response size without COOKIE ($n)"
ret=0
$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1
$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
havetc dig.out.test$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -104,36 +102,36 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking response size without valid COOKIE ($n)"
ret=0
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
havetc dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking response size with COOKIE ($n)"
ret=0
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l || ret=1
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 >dig.out.test$n.l || ret=1
cookie=$(getcookie dig.out.test$n.l)
$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1
$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
havetc dig.out.test$n && ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking response size with COOKIE recursive ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n || ret=1
$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
havetc dig.out.test$n && ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking COOKIE is learnt for TCP retry ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n || ret=1
$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 >dig.out.test$n || ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 3 ]; then ret=1; fi
checkfull=$(getcookie dig.out.test$n | fullcookie)
@ -145,15 +143,15 @@ n=$((n + 1))
echo_i "checking for COOKIE value in adb ($n)"
ret=0
rndc_dumpdb ns1
grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking require-server-cookie default (no) ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n || ret=1
grep BADCOOKIE dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 >dig.out.test$n || ret=1
grep BADCOOKIE dig.out.test$n >/dev/null && ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -162,10 +160,10 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking require-server-cookie yes ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n || ret=1
grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
grep "flags: qr[^;]* aa[ ;]" dig.out.test$n >/dev/null && ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
grep BADCOOKIE dig.out.test$n >/dev/null || ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -174,7 +172,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking +qr +showbadcookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n || ret=1
$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l)
badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l)
server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l)
@ -191,7 +189,7 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking +showbadcookie ($n)"
ret=0
$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n || ret=1
$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l)
badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l)
server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l)
@ -208,9 +206,9 @@ status=$((status + ret))
n=$((n + 1))
echo_i "checking require-server-cookie yes with rate-limit ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n || ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 >dig.out.test$n || ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
grep BADCOOKIE dig.out.test$n >/dev/null || ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -219,24 +217,24 @@ status=$((status + ret))
n=$((n + 1))
echo_i "send undersized cookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1
grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 >dig.out.test$n || ret=1
grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "send oversized for named cookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 >dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "send oversized for named cookie with server requiring a good cookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 >dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -260,8 +258,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "get NS4 cookie for cross server checking ($n)"
ret=0
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
ns4cookie=$(getcookie dig.out.test$n)
test -n "$ns4cookie" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -270,8 +268,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "get NS5 cookie for cross server checking ($n)"
ret=0
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
ns5cookie=$(getcookie dig.out.test$n)
test -n "$ns5cookie" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -280,8 +278,8 @@ status=$((status + ret))
n=$((n + 1))
echo_i "get NS6 cookie for cross server checking ($n)"
ret=0
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
ns6cookie=$(getcookie dig.out.test$n)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -289,54 +287,54 @@ status=$((status + ret))
n=$((n + 1))
echo_i "test NS4 cookie on NS5 (expect success) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "test NS5 cookie on NS4 (expect success) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "test NS6 cookie on NS5 (expect success) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -345,62 +343,62 @@ echo_i "check that test server is correctly configured ($n)"
ret=0
pat="; COOKIE: ................................ (good)"
#UDP
$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp tld >dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
grep "$pat" dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld >dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3 || ret=1
grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld >dig.out.test$n.3 || ret=1
grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4 || ret=1
grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld >dig.out.test$n.4 || ret=1
grep "status: NOERROR" dig.out.test$n.4 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.4 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.4 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.4 >/dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 >/dev/null || ret=1
#TCP
$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5 || ret=1
grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp tld >dig.out.test$n.5 || ret=1
grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1
grep "$pat" dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6
grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld >dig.out.test$n.6
grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1
grep "$pat" dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7
grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld >dig.out.test$n.7
grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8
grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1
grep "$pat" dig.out.test$n.8 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld >dig.out.test$n.8
grep "status: NOERROR" dig.out.test$n.8 >/dev/null || ret=1
grep "$pat" dig.out.test$n.8 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.8 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.8 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -411,17 +409,17 @@ ret=0
msg="missing expected cookie from"
pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# spoofed response contains 10.53.0.10
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2 || ret=1
$DIG $DIGOPTS @10.53.0.1 tcponly.tld >dig.out.test$n.2 || ret=1
wait_for_log 5 "$msg" ns1/named.run || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -431,17 +429,17 @@ ret=0
msg="missing expected cookie from"
pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# check the disabled server response
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2
$DIG $DIGOPTS @10.53.0.1 nocookie.tld >dig.out.test$n.2
wait_for_log 5 "$msg" ns1/named.run || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -450,17 +448,17 @@ echo_i "check that spoofed response with a TSIG is dropped when we have a server
ret=0
pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# spoofed response contains 10.53.0.10
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
nextpart ns1/named.run > named.run.test$n
$DIG $DIGOPTS @10.53.0.1 withtsig.tld >dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
nextpart ns1/named.run >named.run.test$n
count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
test $count -eq 1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -470,56 +468,55 @@ if $PYTHON -c '
import dns.version, sys;
if dns.version.MAJOR > 1: sys.exit(0);
if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0);
sys.exit(1)'
then
sys.exit(1)'; then
n=$((n + 1))
echo_i "check that TSIG test server is correctly configured ($n)"
ret=0
pat="; COOKIE: ................................ (good)"
key=hmac-sha256:foo:aaaaaaaaaaaa
#UDP
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. >dig.out.test$n.1 || ret=1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
grep "$pat" dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig >dig.out.test$n.2 || ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3 || ret=1
grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig >dig.out.test$n.3 || ret=1
grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
#TCP
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5 || ret=1
grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. >dig.out.test$n.5 || ret=1
grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1
grep "$pat" dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6 || ret=1
grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig >dig.out.test$n.6 || ret=1
grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1
grep "$pat" dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7 || ret=1
grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig >dig.out.test$n.7 || ret=1
grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -529,17 +526,17 @@ then
ret=0
pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tsig. >dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# check the disabled server response
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
nextpart ns1/named.run > named.run.test$n
$DIG $DIGOPTS @10.53.0.1 nocookie.tsig >dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
nextpart ns1/named.run >named.run.test$n
count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
test $count -eq 2 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi

95
bin/tests/system/custom-test-driver
View file

@ -2,7 +2,7 @@
# test-driver - basic testsuite driver script.
scriptversion=2021-09-20.08; # UTC
scriptversion=2021-09-20.08 # UTC
# Copyright (C) 2011-2020 Free Software Foundation, Inc.
#
@ -34,15 +34,13 @@ scriptversion=2021-09-20.08; # UTC
# helps a lot in preventing typo-related bugs.
set -u
usage_error ()
{
usage_error() {
echo "$0: $*" >&2
print_usage >&2
exit 2
}
print_usage ()
{
print_usage() {
cat <<END
Usage:
test-driver --test-name=NAME --log-file=PATH --trs-file=PATH
@ -53,36 +51,67 @@ The '--test-name', '--log-file' and '--trs-file' options are mandatory.
END
}
test_name= # Used for reporting.
log_file= # Where to save the output of the test script.
trs_file= # Where to save the metadata of the test run.
junit_file= # Where to save pytest junit output.
test_name= # Used for reporting.
log_file= # Where to save the output of the test script.
trs_file= # Where to save the metadata of the test run.
junit_file= # Where to save pytest junit output.
expect_failure=no
color_tests=no
enable_hard_errors=yes
verbose=no
while test $# -gt 0; do
case $1 in
--help) print_usage; exit $?;;
--version) echo "test-driver $scriptversion"; exit $?;;
--test-name) test_name=$2; shift;;
--log-file) log_file=$2; shift;;
--trs-file) trs_file=$2; junit_file=$(echo $trs_file | sed 's/\.trs$/\.xml/'); shift;;
--color-tests) color_tests=$2; shift;;
--expect-failure) expect_failure=$2; shift;;
--enable-hard-errors) enable_hard_errors=$2; shift;;
--verbose) verbose=$2; shift;;
--) shift; break;;
-*) usage_error "invalid option: '$1'";;
*) break;;
--help)
print_usage
exit $?
;;
--version)
echo "test-driver $scriptversion"
exit $?
;;
--test-name)
test_name=$2
shift
;;
--log-file)
log_file=$2
shift
;;
--trs-file)
trs_file=$2
junit_file=$(echo $trs_file | sed 's/\.trs$/\.xml/')
shift
;;
--color-tests)
color_tests=$2
shift
;;
--expect-failure)
expect_failure=$2
shift
;;
--enable-hard-errors)
enable_hard_errors=$2
shift
;;
--verbose)
verbose=$2
shift
;;
--)
shift
break
;;
-*) usage_error "invalid option: '$1'" ;;
*) break ;;
esac
shift
done
missing_opts=
test x"$test_name" = x && missing_opts="$missing_opts --test-name"
test x"$log_file" = x && missing_opts="$missing_opts --log-file"
test x"$trs_file" = x && missing_opts="$missing_opts --trs-file"
test x"$log_file" = x && missing_opts="$missing_opts --log-file"
test x"$trs_file" = x && missing_opts="$missing_opts --trs-file"
if test x"$missing_opts" != x; then
usage_error "the following mandatory options are missing:$missing_opts"
fi
@ -117,7 +146,7 @@ else
fi
# Run junit to trs converter script.
./convert-junit-to-trs.py $junit_file > $trs_file
./convert-junit-to-trs.py $junit_file >$trs_file
estatus=$?
if test $enable_hard_errors = no && test $estatus -eq 99; then
@ -127,12 +156,12 @@ else
fi
case $tweaked_estatus:$expect_failure in
0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
0:*) col=$grn res=PASS recheck=no gcopy=no;;
77:*) col=$blu res=SKIP recheck=no gcopy=yes;;
99:*) col=$mgn res=ERROR recheck=yes gcopy=yes;;
*:yes) col=$lgn res=XFAIL recheck=no gcopy=yes;;
*:*) col=$red res=FAIL recheck=yes gcopy=yes;;
0:yes) col=$red res=XPASS recheck=yes gcopy=yes ;;
0:*) col=$grn res=PASS recheck=no gcopy=no ;;
77:*) col=$blu res=SKIP recheck=no gcopy=yes ;;
99:*) col=$mgn res=ERROR recheck=yes gcopy=yes ;;
*:yes) col=$lgn res=XFAIL recheck=no gcopy=yes ;;
*:*) col=$red res=FAIL recheck=yes gcopy=yes ;;
esac
# Report the test outcome and exit status in the logs, so that one can
@ -145,9 +174,9 @@ echo "$res $test_name (exit status: $estatus)" >>$log_file
echo "${col}${res}${std}: $test_name"
# Register other relevant test metadata.
echo ":global-test-result: $res" >> $trs_file
echo ":recheck: $recheck" >> $trs_file
echo ":copy-in-global-log: $gcopy" >> $trs_file
echo ":global-test-result: $res" >>$trs_file
echo ":recheck: $recheck" >>$trs_file
echo ":copy-in-global-log: $gcopy" >>$trs_file
# Local Variables:
# mode: shell-script

19
bin/tests/system/database/tests.sh
View file

@ -27,8 +27,8 @@ RNDCCMD="$RNDC -s 10.53.0.1 -p ${CONTROLPORT} -c ../_common/rndc.conf"
echo_i "checking pre reload zone ($n)"
ret=0
$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "hostmaster\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1
grep "hostmaster\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -39,14 +39,13 @@ $RNDCCMD reload 2>&1 >/dev/null
echo_i "checking post reload zone ($n)"
ret=1
try=0
while test $try -lt 6
do
sleep 1
ret=0
$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "marka\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1
try=$((try + 1))
test $ret -eq 0 && break
while test $try -lt 6; do
sleep 1
ret=0
$DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1
grep "marka\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1
try=$((try + 1))
test $ret -eq 0 && break
done
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi

42
bin/tests/system/dialup/tests.sh
View file

@ -23,21 +23,19 @@ DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p ${PORT}"
# Check the example. domain
$DIG $DIGOPTS example. @10.53.0.1 soa > dig.out.ns1.test || ret=1
$DIG $DIGOPTS example. @10.53.0.1 soa >dig.out.ns1.test || ret=1
echo_i "checking that first zone transfer worked"
ret=0
try=0
while test $try -lt 120
do
$DIG $DIGOPTS example. @10.53.0.2 soa > dig.out.ns2.test || ret=1
if grep SERVFAIL dig.out.ns2.test > /dev/null
then
try=$((try + 1))
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns2.test || ret=1
break;
fi
while test $try -lt 120; do
$DIG $DIGOPTS example. @10.53.0.2 soa >dig.out.ns2.test || ret=1
if grep SERVFAIL dig.out.ns2.test >/dev/null; then
try=$((try + 1))
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns2.test || ret=1
break
fi
done
echo_i "try $try"
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -46,17 +44,15 @@ status=$((status + ret))
echo_i "checking that second zone transfer worked"
ret=0
try=0
while test $try -lt 120
do
$DIG $DIGOPTS example. @10.53.0.3 soa > dig.out.ns3.test || ret=1
if grep SERVFAIL dig.out.ns3.test > /dev/null
then
try=$((try + 1))
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns3.test || ret=1
break;
fi
while test $try -lt 120; do
$DIG $DIGOPTS example. @10.53.0.3 soa >dig.out.ns3.test || ret=1
if grep SERVFAIL dig.out.ns3.test >/dev/null; then
try=$((try + 1))
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns3.test || ret=1
break
fi
done
echo_i "try $try"
if [ $ret != 0 ]; then echo_i "failed"; fi

10
bin/tests/system/digdelv/ns2/sign.sh
View file

@ -20,10 +20,10 @@ ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.)
cp example.db.in example.db
"$SIGNER" -Sz -f example.db -o example example.db.in > /dev/null 2>&1
"$SIGNER" -Sz -f example.db -o example example.db.in >/dev/null 2>&1
keyfile_to_key_id "$ksk" > keyid
grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata
keyfile_to_key_id "$ksk" >keyid
grep -Ev '^;' <"$ksk.key" | cut -f 7- -d ' ' >keydata
keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey
keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds
keyfile_to_initial_keys "$ksk" >../ns3/anchor.dnskey
keyfile_to_initial_ds "$ksk" >../ns3/anchor.ds

14
bin/tests/system/digdelv/prereq.sh
View file

@ -13,16 +13,14 @@
. ../conf.sh
if ! ${PYTHON} -c 'import dns'
then
echo_i "python dns module is required"
exit 1
if ! ${PYTHON} -c 'import dns'; then
echo_i "python dns module is required"
exit 1
fi
if ! ${PERL} -MNet::DNS -e ''
then
echo_i "perl Net::DNS module is required"
exit 1
if ! ${PERL} -MNet::DNS -e ''; then
echo_i "perl Net::DNS module is required"
exit 1
fi
exit 0

1276
bin/tests/system/digdelv/tests.sh
View file

File diff suppressed because it is too large Load diff

4
bin/tests/system/dlzexternal/prereq.sh
View file

@ -14,8 +14,8 @@
. ../conf.sh
$FEATURETEST --tsan && {
echo_i "TSAN - skipping dlzexternal test"
exit 255
echo_i "TSAN - skipping dlzexternal test"
exit 255
}
exit 0

2
bin/tests/system/dlzexternal/setup.sh
View file

@ -13,6 +13,6 @@
. ../conf.sh
$TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
$TSIGKEYGEN ddns-key.example.nil >ns1/ddns.key
copy_setports ns1/named.conf.in ns1/named.conf

140
bin/tests/system/dlzexternal/tests.sh
View file

@ -22,39 +22,39 @@ DIGOPTS="@10.53.0.1 -p ${PORT} +nocookie"
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
newtest() {
n=$((n + 1))
echo_i "${1} (${n})"
ret=0
n=$((n + 1))
echo_i "${1} (${n})"
ret=0
}
test_update() {
host="$1"
type="$2"
cmd="$3"
digout="$4"
should_fail="$5"
host="$1"
type="$2"
cmd="$3"
digout="$4"
should_fail="$5"
cat <<EOF > ns1/update.txt
cat <<EOF >ns1/update.txt
server 10.53.0.1 ${PORT}
update add $host $cmd
send
EOF
newtest "testing update for $host $type $cmd${comment:+ }$comment"
$NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 || {
[ "$should_fail" ] || \
echo_i "update failed for $host $type $cmd"
return 1
}
newtest "testing update for $host $type $cmd${comment:+ }$comment"
$NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 || {
[ "$should_fail" ] \
|| echo_i "update failed for $host $type $cmd"
return 1
}
out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host")
lines=$(echo "$out" | grep "$digout" | wc -l)
[ $lines -eq 1 ] || {
[ "$should_fail" ] || \
echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
return 0
out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host")
lines=$(echo "$out" | grep "$digout" | wc -l)
[ $lines -eq 1 ] || {
[ "$should_fail" ] \
|| echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
return 0
}
test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
@ -70,19 +70,19 @@ test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fai
status=$((status + ret))
newtest "testing nxrrset"
$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n || ret=1
grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1
$DIG $DIGOPTS testdc1.example.nil AAAA >dig.out.$n || ret=1
grep "status: NOERROR" dig.out.$n >/dev/null || ret=1
grep "ANSWER: 0" dig.out.$n >/dev/null || ret=1
status=$((status + ret))
newtest "testing prerequisites are checked correctly"
cat > ns1/update.txt << EOF
cat >ns1/update.txt <<EOF
server 10.53.0.1 ${PORT}
prereq nxdomain testdc3.example.nil
update add testdc3.example.nil 86500 in a 10.53.0.12
send
EOF
$NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 && ret=1
$NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 && ret=1
out=$($DIG $DIGOPTS +short a testdc3.example.nil)
[ "$out" = "10.53.0.12" ] && ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
@ -98,10 +98,10 @@ status=$((status + ret))
newtest "testing DLZ driver is cleaned up on reload"
rndc_reload ns1 10.53.0.1
for i in 0 1 2 3 4 5 6 7 8 9; do
ret=0
grep 'dlz_example: shutting down zone example.nil' ns1/named.run > /dev/null 2>&1 || ret=1
[ "$ret" -eq 0 ] && break
sleep 1
ret=0
grep 'dlz_example: shutting down zone example.nil' ns1/named.run >/dev/null 2>&1 || ret=1
[ "$ret" -eq 0 ] && break
sleep 1
done
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
@ -111,53 +111,53 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
status=$((status + ret))
newtest "testing AXFR from DLZ drivers"
$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n || ret=1
$DIG $DIGOPTS +noall +answer axfr example.nil >dig.out.example.ns1.test$n || ret=1
lines=$(cat dig.out.example.ns1.test$n | wc -l)
[ ${lines:-0} -eq 4 ] || ret=1
$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n || ret=1
$DIG $DIGOPTS +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n || ret=1
lines=$(cat dig.out.alternate.ns1.test$n | wc -l)
[ ${lines:-0} -eq 5 ] || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing AXFR denied from DLZ drivers"
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n || ret=1
grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil >dig.out.example.ns1.test$n || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n >/dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n || ret=1
grep "; Transfer failed" dig.out.alternate.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing AXFR denied based on view ACL"
# 10.53.0.1 should be disallowed
$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1 || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org >dig.out.example.ns1.test$n.1 || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n.1 >/dev/null || ret=1
# 10.53.0.2 should be allowed
$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2 || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1
$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org >dig.out.example.ns1.test$n.2 || ret=1
grep "; Transfer failed" dig.out.example.ns1.test$n.2 >/dev/null && ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing unsearched/unregistered DLZ zone is not found"
$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noall +answer ns other.nil >dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n >/dev/null && ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing unsearched/registered DLZ zone is found"
$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing unsearched/registered DLZ zone is found"
$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n || ret=1
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing correct behavior with findzone returning ISC_R_NOMORE"
$DIG $DIGOPTS +noall a test.example.com > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS +noall a test.example.com >/dev/null 2>&1 || ret=1
# we should only find one logged lookup per searched DLZ database
lines=$(grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l)
[ $lines -eq 1 ] || ret=1
@ -167,13 +167,13 @@ lines=$(grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run |
status=$((status + ret))
newtest "testing findzone can return different results per client"
$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net >/dev/null 2>&1 || ret=1
# we should only find one logged lookup per searched DLZ database
lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l)
[ $lines -eq 1 ] || ret=1
lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l)
[ $lines -eq 1 ] || ret=1
$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net >/dev/null 2>&1 || ret=1
# we should find several logged lookups this time
lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l)
[ $lines -gt 2 ] || ret=1
@ -183,47 +183,47 @@ lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l
status=$((status + ret))
newtest "testing zone returning oversized data"
$DIG $DIGOPTS txt too-long.example.nil > dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS txt too-long.example.nil >dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "testing zone returning oversized data at zone origin"
$DIG $DIGOPTS txt bigcname.domain > dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS txt bigcname.domain >dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=$((status + ret))
newtest "checking redirected lookup for nonexistent name"
$DIG $DIGOPTS @10.53.0.1 unexists a > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 unexists a >dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
newtest "checking no redirected lookup for nonexistent type"
$DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 exists aaaa >dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
newtest "checking redirected lookup for a long nonexistent name"
$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a >dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n >/dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1
lookups=$(grep "lookup #.*\.not\.there" ns1/named.run | wc -l)
[ "$lookups" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
newtest "checking ECS data is passed to driver in clientinfo"
$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt > dig.out.ns1.test$n.1 || ret=1
grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS +short source-addr.example.nil txt > dig.out.ns1.test$n.2 || ret=1
grep "not.*present" dig.out.ns1.test$n.2 > /dev/null || ret=1
$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt >dig.out.ns1.test$n.1 || ret=1
grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS +short source-addr.example.nil txt >dig.out.ns1.test$n.2 || ret=1
grep "not.*present" dig.out.ns1.test$n.2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))

4
bin/tests/system/dns64/ns1/sign.sh
View file

@ -20,6 +20,6 @@ zonefile=signed.db
key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM $zone)
key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone)
cat $infile $key1.key $key2.key > $zonefile
cat $infile $key1.key $key2.key >$zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null
$SIGNER -P -g -o $zone $zonefile >/dev/null

972
bin/tests/system/dns64/tests.sh
View file

File diff suppressed because it is too large Load diff

20
bin/tests/system/dnssec/ns1/sign.sh
View file

@ -20,9 +20,9 @@ zone=.
infile=root.db.in
zonefile=root.db
(cd ../ns2 && $SHELL sign.sh )
(cd ../ns6 && $SHELL sign.sh )
(cd ../ns7 && $SHELL sign.sh )
(cd ../ns2 && $SHELL sign.sh)
(cd ../ns6 && $SHELL sign.sh)
(cd ../ns7 && $SHELL sign.sh)
echo_i "ns1/sign.sh"
@ -30,18 +30,18 @@ cp "../ns2/dsset-example." .
cp "../ns2/dsset-in-addr.arpa." .
cp "../ns2/dsset-too-many-iterations." .
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." > "dsset-algroll."
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll."
cp "../ns6/dsset-optout-tld." .
ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
# Configure the resolving server with a staitc key.
keyfile_to_static_ds "$ksk" > trusted.conf
keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
@ -49,14 +49,14 @@ cp trusted.conf ../ns6/trusted.conf
cp trusted.conf ../ns7/trusted.conf
cp trusted.conf ../ns9/trusted.conf
keyfile_to_trusted_keys "$ksk" > trusted.keys
keyfile_to_trusted_keys "$ksk" >trusted.keys
# ...or with an initializing key.
keyfile_to_initial_ds "$ksk" > managed.conf
keyfile_to_initial_ds "$ksk" >managed.conf
cp managed.conf ../ns4/managed.conf
#
# Save keyid for managed key id test.
#
keyfile_to_key_id "$ksk" > managed.key.id
keyfile_to_key_id "$ksk" >managed.key.id

144
bin/tests/system/dnssec/ns2/sign.sh
View file

@ -17,15 +17,14 @@
set -e
# Sign child zones (served by ns3).
( cd ../ns3 && $SHELL sign.sh )
(cd ../ns3 && $SHELL sign.sh)
echo_i "ns2/sign.sh"
# Get the DS records for the "trusted." and "managed." zones.
for subdomain in secure unsupported disabled enabled
do
cp "../ns3/dsset-$subdomain.managed." .
cp "../ns3/dsset-$subdomain.trusted." .
for subdomain in secure unsupported disabled enabled; do
cp "../ns3/dsset-$subdomain.managed." .
cp "../ns3/dsset-$subdomain.trusted." .
done
# Sign the "trusted." and "managed." zones.
@ -36,9 +35,9 @@ zonefile=managed.db
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
zone=trusted.
infile=key.db.in
@ -47,9 +46,9 @@ zonefile=trusted.db
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
# The "example." zone.
zone=example.
@ -58,23 +57,22 @@ zonefile=example.db
# Get the DS records for the "example." zone.
for subdomain in secure badds bogus dynamic keyless nsec3 optout \
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
dnskey-nsec3-unknown managed-future revkey \
dname-at-apex-nsec3 occluded
do
cp "../ns3/dsset-$subdomain.example." .
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
dnskey-nsec3-unknown managed-future revkey \
dname-at-apex-nsec3 occluded; do
cp "../ns3/dsset-$subdomain.example." .
done
# Sign the "example." zone.
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
#
# lower/uppercase the signature bits with the exception of the last characters
@ -82,8 +80,8 @@ cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
#
zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" |
awk '
"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
| awk '
tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
for (i = 1; i <= NF; i++ ) {
if (i <= 12) {
@ -122,7 +120,7 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
next;
}
{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed"
{ print; }' >"$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed"
#
# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned.
@ -134,8 +132,8 @@ zonefile=in-addr.arpa.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
# Sign the badparam secure file
@ -146,11 +144,11 @@ zonefile=badparam.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad"
sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" >"$zonefile.bad"
# Sign the single-nsec3 secure zone with optout
@ -161,9 +159,9 @@ zonefile=single-nsec3.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
#
# algroll has just has the old DNSKEY records removed and is waiting
@ -179,9 +177,9 @@ keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zon
keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile"
"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" >/dev/null 2>&1
#
# Make a zone big enough that it takes several seconds to generate a new
@ -189,7 +187,7 @@ cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
#
zone=nsec3chain-test
zonefile=nsec3chain-test.db
cat > "$zonefile" << EOF
cat >"$zonefile" <<EOF
\$TTL 10
@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200
@ 10 NS ns2
@ -199,22 +197,22 @@ ns3 10 A 10.53.0.3
EOF
i=1
while [ $i -le 300 ]; do
echo "host$i 10 IN NS ns.elsewhere"
i=$((i+1))
done >> "$zonefile"
echo "host$i 10 IN NS ns.elsewhere"
i=$((i + 1))
done >>"$zonefile"
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$key1.key" "$key2.key" >> "$zonefile"
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
cat "$key1.key" "$key2.key" >>"$zonefile"
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1
zone=cds.secure
infile=cds.secure.db.in
zonefile=cds.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
"$DSFROMKEY" -C "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-x.secure
infile=cds.secure.db.in
@ -222,43 +220,43 @@ zonefile=cds-x.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
"$DSFROMKEY" -C "$key2.key" > "$key2.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile"
"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
"$DSFROMKEY" -C "$key2.key" >"$key2.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile"
"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-update.secure
infile=cds-update.secure.db.in
zonefile=cds-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-kskonly.secure
infile=cds-kskonly.secure.db.in
zonefile=cds-kskonly.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
keyfile_to_key_id "$key1" > cds-kskonly.secure.id
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
keyfile_to_key_id "$key1" >cds-kskonly.secure.id
zone=cds-auto.secure
infile=cds-auto.secure.db.in
zonefile=cds-auto.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
$SETTIME -P sync now "$key1" > /dev/null
cat "$infile" > "$zonefile.signed"
$SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
zone=cdnskey.secure
infile=cdnskey.secure.db.in
zonefile=cdnskey.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-x.secure
infile=cdnskey.secure.db.in
@ -266,34 +264,34 @@ zonefile=cdnskey-x.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile"
"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-update.secure
infile=cdnskey-update.secure.db.in
zonefile=cdnskey-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-kskonly.secure
infile=cdnskey-kskonly.secure.db.in
zonefile=cdnskey-kskonly.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
keyfile_to_key_id "$key1" >cdnskey-kskonly.secure.id
zone=cdnskey-auto.secure
infile=cdnskey-auto.secure.db.in
zonefile=cdnskey-auto.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
$SETTIME -P sync now "$key1" > /dev/null
cat "$infile" > "$zonefile.signed"
$SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
zone=updatecheck-kskonly.secure
infile=template.secure.db.in
@ -301,14 +299,14 @@ zonefile=${zone}.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
# Save key id's for checking active key usage
keyfile_to_key_id "$key1" > $zone.ksk.id
keyfile_to_key_id "$key2" > $zone.zsk.id
echo "${key1}" > $zone.ksk.key
echo "${key2}" > $zone.zsk.key
keyfile_to_key_id "$key1" >$zone.ksk.id
keyfile_to_key_id "$key2" >$zone.zsk.id
echo "${key1}" >$zone.ksk.key
echo "${key2}" >$zone.zsk.key
# Add CDS and CDNSKEY records
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey"
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile"
sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cdnskey"
"$DSFROMKEY" -C "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" >"$zonefile"
# Don't sign, let auto-dnssec maintain do it.
mv $zonefile "$zonefile.signed"
@ -317,8 +315,8 @@ infile=hours-vs-days.db.in
zonefile=hours-vs-days.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
$SETTIME -P sync now "$key1" > /dev/null
cat "$infile" > "$zonefile.signed"
$SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
#
# Negative result from this zone should come back as insecure.
@ -328,5 +326,5 @@ infile=too-many-iterations.db.in
zonefile=too-many-iterations.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1

301
bin/tests/system/dnssec/ns3/sign.sh
View file

@ -19,61 +19,60 @@ set -e
echo_i "ns3/sign.sh"
infile=key.db.in
for tld in managed trusted
do
# A secure zone to test.
zone=secure.${tld}
zonefile=${zone}.db
for tld in managed trusted; do
# A secure zone to test.
zone=secure.${tld}
zonefile=${zone}.db
keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
# Zone to test trust anchor that matches disabled algorithm.
zone=disabled.${tld}
zonefile=${zone}.db
# Zone to test trust anchor that matches disabled algorithm.
zone=disabled.${tld}
zonefile=${zone}.db
keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname2.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname2.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
# Zone to test trust anchor that has disabled algorithm for other domain.
zone=enabled.${tld}
zonefile=${zone}.db
# Zone to test trust anchor that has disabled algorithm for other domain.
zone=enabled.${tld}
zonefile=${zone}.db
keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname3.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname3.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
# Zone to test trust anchor with unsupported algorithm.
zone=unsupported.${tld}
zonefile=${zone}.db
# Zone to test trust anchor with unsupported algorithm.
zone=unsupported.${tld}
zonefile=${zone}.db
keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname4.key" > "$zonefile"
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname4.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
# Make trusted-keys and managed keys conf sections for ns8.
mv ${keyname4}.key ${keyname4}.tmp
awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key
# Make trusted-keys and managed keys conf sections for ns8.
mv ${keyname4}.key ${keyname4}.tmp
awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key
# Zone to test trust anchor that is revoked.
zone=revoked.${tld}
zonefile=${zone}.db
# Zone to test trust anchor that is revoked.
zone=revoked.${tld}
zonefile=${zone}.db
keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname5.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname5.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
case $tld in
"managed")
keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf
;;
"trusted")
keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf
;;
esac
case $tld in
"managed")
keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf
;;
"trusted")
keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf
;;
esac
done
echo_i "ns3/sign.sh: example zones"
@ -86,9 +85,9 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n
dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
zone=bogus.example.
infile=bogus.example.db.in
@ -96,9 +95,9 @@ zonefile=bogus.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
zone=dynamic.example.
infile=dynamic.example.db.in
@ -107,9 +106,9 @@ zonefile=dynamic.example.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -o "$zone" "$zonefile" >/dev/null
zone=keyless.example.
infile=generic.example.db.in
@ -117,16 +116,16 @@ zonefile=keyless.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
# Change the signer field of the a.b.keyless.example RRSIG A
# to point to a provably nonexistent DNSKEY record.
zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
mv "$zonefile.signed" "$zonefiletmp"
<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/
if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed"
"$PERL" <"$zonefiletmp" -p -e 's/ keyless.example/ b.keyless.example/
if /^a.b.keyless.example/../A RRSIG NSEC/;' >"$zonefile.signed"
rm -f "$zonefiletmp"
#
@ -138,9 +137,9 @@ zonefile=secure.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
#
# NSEC3/NSEC3 test zone
@ -151,9 +150,9 @@ zonefile=nsec3.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC3 test zone
@ -164,9 +163,9 @@ zonefile=optout.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A nsec3 zone (non-optout).
@ -177,9 +176,9 @@ zonefile=nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC test zone
@ -190,9 +189,9 @@ zonefile=secure.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC3 test zone
@ -203,9 +202,9 @@ zonefile=nsec3.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/OPTOUT test zone
@ -216,9 +215,9 @@ zonefile=optout.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A optout nsec3 zone.
@ -229,9 +228,9 @@ zonefile=optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
@ -242,9 +241,9 @@ zonefile=nsec3-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" >/dev/null
#
# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
@ -255,9 +254,9 @@ zonefile=optout-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" >/dev/null
#
# A zone that is signed with an unknown DNSKEY algorithm.
@ -269,14 +268,14 @@ zonefile=dnskey-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed
awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}."
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A zone that is signed with an unsupported DNSKEY algorithm (3).
@ -288,14 +287,14 @@ zonefile=dnskey-unsupported.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}."
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A zone with a published unsupported DNSKEY algorithm (Reserved).
@ -308,9 +307,9 @@ zonefile=dnskey-unsupported-2.example.db
ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile"
"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null
"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null
#
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
@ -322,14 +321,14 @@ zonefile=dnskey-nsec3-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}."
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A multiple parameter nsec3 zone.
@ -340,20 +339,20 @@ zonefile=multiple.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -O full -o "$zone" "$zonefile" > /dev/null
awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC
"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" > /dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3
"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null
cat NSEC NSEC3 >> "$zonefile".signed
"$SIGNER" -z -O full -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC
"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3
"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" >/dev/null
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" >/dev/null
cat NSEC NSEC3 >>"$zonefile".signed
#
# A RSASHA256 zone.
@ -364,9 +363,9 @@ zonefile=rsasha256.example.db
keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A RSASHA512 zone.
@ -377,9 +376,9 @@ zonefile=rsasha512.example.db
keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A zone with the DNSKEY set only signed by the KSK
@ -390,8 +389,8 @@ zonefile=kskonly.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -x -o "$zone" "$zonefile" >/dev/null
#
# A zone with the expired signatures
@ -402,8 +401,8 @@ zonefile=expired.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" >/dev/null
rm -f "$kskname.*" "$zskname.*"
#
@ -415,8 +414,8 @@ zonefile=update-nsec3.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# A NSEC signed zone that will have auto-dnssec enabled and
@ -430,8 +429,8 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A NSEC3 signed zone that will have auto-dnssec enabled and
@ -445,8 +444,8 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone"
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# Secure below cname test zone.
@ -455,8 +454,8 @@ zone=secure.below-cname.example.
infile=secure.below-cname.example.db.in
zonefile=secure.below-cname.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# Patched TTL test zone.
@ -468,11 +467,11 @@ signedfile=ttlpatch.example.db.signed
patchedfile=ttlpatch.example.db.patched
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null
$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \
awk '{$2 = "3600"; print}' > $patchedfile
"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" >/dev/null
$CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \
| awk '{$2 = "3600"; print}' >$patchedfile
#
# Separate DNSSEC records.
@ -483,10 +482,10 @@ zonefile=split-dnssec.example.db
signedfile=split-dnssec.example.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$keyname.key" >"$zonefile"
echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
: >"$signedfile"
"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null
#
# Separate DNSSEC records smart signing.
@ -499,9 +498,9 @@ signedfile=split-smart.example.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cp "$infile" "$zonefile"
# shellcheck disable=SC2016
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null
echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
: >"$signedfile"
"$SIGNER" -P -S -D -o "$zone" "$zonefile" >/dev/null
#
# Zone with signatures about to expire, but no private key to replace them
@ -513,7 +512,7 @@ signedfile="expiring.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" >/dev/null
mv -f "${zskname}.private" "${zskname}.private.moved"
mv -f "${kskname}.private" "${kskname}.private.moved"
@ -528,9 +527,9 @@ signedfile="upper.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null
$CHECKZONE -D upper.example $lower 2>/dev/null | \
sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null
$CHECKZONE -D upper.example $lower 2>/dev/null \
| sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile
#
# Check that the signer's name is in lower case when zone name is in
@ -543,7 +542,7 @@ signedfile="lower.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null
#
# Zone with signatures about to expire, and dynamic, but configured
@ -556,11 +555,11 @@ signedfile="nosign.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" >/dev/null
# preserve a normalized copy of the NS RRSIG for comparison later
$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
sed 's/[ ][ ]*/ /g'> ../nosign.before
$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null \
| awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' \
| sed 's/[ ][ ]*/ /g' >../nosign.before
#
# An inline signing zone
@ -581,7 +580,7 @@ kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b
kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -S -o "$zone" "$zonefile" >/dev/null
#
# A zone which will change its sig-validity-interval
@ -603,10 +602,10 @@ zonefile=badds.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
sed -e 's/bogus/badds/g' < dsset-bogus.example. > dsset-badds.example.
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
sed -e 's/bogus/badds/g' <dsset-bogus.example. >dsset-badds.example.
#
# A zone with future signatures.
@ -616,8 +615,8 @@ infile=future.example.db.in
zonefile=future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null
cp -f "$kskname.key" trusted-future.key
#
@ -628,8 +627,8 @@ infile=managed-future.example.db.in
zonefile=managed-future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null
#
# A zone with a revoked key
@ -643,8 +642,8 @@ ksk1=$("$REVOKE" "$ksk1")
ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone")
cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
@ -656,7 +655,7 @@ zonefile=dname-at-apex-nsec3.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# A NSEC zone with occuded data at the delegation
@ -668,7 +667,7 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone")
$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}."
$DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}."
cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
"${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null

12
bin/tests/system/dnssec/ns5/sign.sh
View file

@ -25,15 +25,15 @@ zonefile=root.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
# copy the KSK out first, then revoke it
keyfile_to_initial_ds "$keyname" > revoked.conf
keyfile_to_initial_ds "$keyname" >revoked.conf
"$SETTIME" -R now "${keyname}.key" > /dev/null
"$SETTIME" -R now "${keyname}.key" >/dev/null
# create a current set of keys, and sign the root zone
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null
"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone >/dev/null
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone >/dev/null
"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" >/dev/null 2>&1
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
keyfile_to_static_ds "$keyname" > trusted.conf
keyfile_to_static_ds "$keyname" >trusted.conf

4
bin/tests/system/dnssec/ns6/sign.sh
View file

@ -24,6 +24,6 @@ zonefile=optout-tld.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null 2>&1

6
bin/tests/system/dnssec/ns7/sign.sh
View file

@ -25,7 +25,7 @@ zonefile=split-rrsig.db
k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$k1.key" "$k2.key" > "$zonefile"
cat "$infile" "$k1.key" "$k2.key" >"$zonefile"
# The awk script below achieves two goals:
#
@ -37,8 +37,8 @@ cat "$infile" "$k1.key" "$k2.key" > "$zonefile"
# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the
# zone apex; the test then checks whether such signatures are automatically
# removed from the zone after it is loaded.
"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1
awk 'BEGIN { r = ""; }
$4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; }
{ print }
END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed"
END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed"

14
bin/tests/system/dnssec/prereq.sh
View file

@ -13,16 +13,14 @@
. ../conf.sh
if ! ${PYTHON} -c 'import dns'
then
echo_i "python dns module is required"
exit 1
if ! ${PYTHON} -c 'import dns'; then
echo_i "python dns module is required"
exit 1
fi
if ! ${PERL} -MNet::DNS -e ''
then
echo_i "perl Net::DNS module is required"
exit 1
if ! ${PERL} -MNet::DNS -e ''; then
echo_i "perl Net::DNS module is required"
exit 1
fi
exit 0

22
bin/tests/system/dnssec/setup.sh
View file

@ -32,21 +32,21 @@ copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
(
cd ns1
$SHELL sign.sh
{
echo "a.bogus.example. A 10.0.0.22"
echo "b.bogus.example. A 10.0.0.23"
echo "c.bogus.example. A 10.0.0.23"
} >>../ns3/bogus.example.db.signed
cd ns1
$SHELL sign.sh
{
echo "a.bogus.example. A 10.0.0.22"
echo "b.bogus.example. A 10.0.0.23"
echo "c.bogus.example. A 10.0.0.23"
} >>../ns3/bogus.example.db.signed
)
(
cd ns3
cp -f siginterval1.conf siginterval.conf
cd ns3
cp -f siginterval1.conf siginterval.conf
)
(
cd ns5
$SHELL sign.sh
cd ns5
$SHELL sign.sh
)

4201
bin/tests/system/dnssec/tests.sh
View file

File diff suppressed because it is too large Load diff

4
bin/tests/system/dnstap/prereq.sh
View file

@ -14,7 +14,7 @@
. ../conf.sh
$FEATURETEST --enable-dnstap || {
echo_i "This test requires dnstap support." >&2
exit 255
echo_i "This test requires dnstap support." >&2
exit 255
}
exit 0

809
bin/tests/system/dnstap/tests.sh
View file

File diff suppressed because it is too large Load diff

4
bin/tests/system/doth/prereq.sh
View file

@ -14,7 +14,7 @@
. ../conf.sh
$FEATURETEST --with-libnghttp2 || {
echo_i "This test requires libnghttp2 support." >&2
exit 255
echo_i "This test requires libnghttp2 support." >&2
exit 255
}
exit 0

14
bin/tests/system/doth/setup.sh
View file

@ -15,15 +15,15 @@
$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 >ns1/example.db
echo '; huge answer' >> ns1/example.db
echo '; huge answer' >>ns1/example.db
x=1
while [ $x -le 50 ]; do
y=1
while [ $y -le 50 ]; do
printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >> ns1/example.db
y=$((y+1))
done
x=$((x+1))
y=1
while [ $y -le 50 ]; do
printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >>ns1/example.db
y=$((y + 1))
done
x=$((x + 1))
done
copy_setports ns1/named.conf.in ns1/named.conf

629
bin/tests/system/doth/tests.sh
View file

File diff suppressed because it is too large Load diff

6
bin/tests/system/dsdigest/ns1/sign.sh
View file

@ -25,12 +25,12 @@ cp ../ns2/dsset-bad. .
key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
cat $infile $key1.key $key2.key > $zonefile
cat $infile $key1.key $key2.key >$zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null
$SIGNER -P -g -o $zone $zonefile >/dev/null
# Configure the resolving server with a static key.
keyfile_to_static_ds $key2 > trusted.conf
keyfile_to_static_ds $key2 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf

13
bin/tests/system/dsdigest/ns2/sign.sh
View file

@ -28,16 +28,15 @@ keyname22=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone2)
cat $infile1 $keyname11.key $keyname12.key >$zonefile1
cat $infile2 $keyname21.key $keyname22.key >$zonefile2
$SIGNER -P -g -o $zone1 $zonefile1 > /dev/null
$SIGNER -P -g -o $zone2 $zonefile2 > /dev/null
$SIGNER -P -g -o $zone1 $zonefile1 >/dev/null
$SIGNER -P -g -o $zone2 $zonefile2 >/dev/null
DSFILENAME1=dsset-${zone1}.
DSFILENAME2=dsset-${zone2}.
$DSFROMKEY -a SHA-256 $keyname12 > $DSFILENAME1
$DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2
$DSFROMKEY -a SHA-256 $keyname12 >$DSFILENAME1
$DSFROMKEY -a SHA-256 $keyname22 >$DSFILENAME2
algo=SHA-384
$DSFROMKEY -a $algo $keyname12 >> $DSFILENAME1
$DSFROMKEY -a $algo $keyname22 > $DSFILENAME2
$DSFROMKEY -a $algo $keyname12 >>$DSFILENAME1
$DSFROMKEY -a $algo $keyname22 >$DSFILENAME2

22
bin/tests/system/dsdigest/tests.sh
View file

@ -25,9 +25,9 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
echo_i "checking that validation with enabled digest types works"
ret=0
$DIG $DIGOPTS a.good. @10.53.0.3 a > dig.out.good || ret=1
grep "status: NOERROR" dig.out.good > /dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.good > /dev/null || ret=1
$DIG $DIGOPTS a.good. @10.53.0.3 a >dig.out.good || ret=1
grep "status: NOERROR" dig.out.good >/dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.good >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -35,19 +35,19 @@ status=$((status + ret))
echo_i "checking that validation with no supported digest types and must-be-secure results in SERVFAIL"
ret=0
$DIG $DIGOPTS a.bad. @10.53.0.3 a > dig.out.bad || ret=1
grep "SERVFAIL" dig.out.bad > /dev/null || ret=1
$DIG $DIGOPTS a.bad. @10.53.0.3 a >dig.out.bad || ret=1
grep "SERVFAIL" dig.out.bad >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking that validation with no supported digest algorithms results in insecure"
ret=0
$DIG $DIGOPTS bad. @10.53.0.4 ds > dig.out.ds || ret=1
grep "NOERROR" dig.out.ds > /dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ds > /dev/null || ret=1
$DIG $DIGOPTS a.bad. @10.53.0.4 a > dig.out.insecure || ret=1
grep "NOERROR" dig.out.insecure > /dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.insecure > /dev/null && ret=1
$DIG $DIGOPTS bad. @10.53.0.4 ds >dig.out.ds || ret=1
grep "NOERROR" dig.out.ds >/dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ds >/dev/null || ret=1
$DIG $DIGOPTS a.bad. @10.53.0.4 a >dig.out.insecure || ret=1
grep "NOERROR" dig.out.insecure >/dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.insecure >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "exit status: $status"

7
bin/tests/system/dupsigs/ns1/reset_keys.sh
View file

@ -18,7 +18,7 @@ rm -rf keys/signing.test
mkdir -p keys/signing.test
timetodnssec() {
$PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]);
$PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]);
printf("%04u%02u%02u%02u%02u%02u\n", $y+1900,$m+1,$d,$H,$M,$S);' ${1}
}
@ -37,9 +37,8 @@ ZSK8=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK9=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
# clear all times on all keys
for FILEN in keys/signing.test/*.key
do
$SETTIME -P none -A none -R none -I none -D none $FILEN
for FILEN in keys/signing.test/*.key; do
$SETTIME -P none -A none -R none -I none -D none $FILEN
done
BASE=$(date +%s)

5
bin/tests/system/dupsigs/setup.sh
View file

@ -20,4 +20,7 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
copy_setports ns1/named.conf.in ns1/named.conf
cp -f ns1/signing.test.db.in ns1/signing.test.db
(cd ns1; $SHELL ./reset_keys.sh)
(
cd ns1
$SHELL ./reset_keys.sh
)

39
bin/tests/system/dupsigs/tests.sh
View file

@ -26,20 +26,20 @@ status=0
# - 2 x 500 signatures for a{0000-0499}.signing.test.
#
# for a total of 1008.
fully_signed () {
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr"
awk 'BEGIN { lines = 0 }
fully_signed() {
$DIG axfr signing.test -p ${PORT} @10.53.0.1 >"dig.out.ns1.axfr"
awk 'BEGIN { lines = 0 }
$4 == "RRSIG" {lines++}
END { if (lines != 1008) exit(1) }' < "dig.out.ns1.axfr"
END { if (lines != 1008) exit(1) }' <"dig.out.ns1.axfr"
}
# Wait for the last NSEC record in the zone to be signed. This is a lightweight
# alternative to avoid many AXFR requests while waiting for the zone to be
# fully signed.
_wait_for_last_nsec_signed() {
$DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1
grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1
return 0
$DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec >"dig.out.ns1.wait" || return 1
grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" >/dev/null || return 1
return 0
}
echo_i "wait for the zone to be fully signed"
@ -52,19 +52,18 @@ now=$start
end=$((start + 140))
while [ $now -lt $end ] && [ $status -eq 0 ]; do
et=$((now - start))
echo_i "............... $et ............"
$JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i
lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l)
if [ ${et} -ne 0 -a ${lines} -ne 1008 ]
then
echo_i "failed"
status=$((status + 1))
fi
sleep 5
now=$(date +%s)
et=$((now - start))
echo_i "............... $et ............"
$JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i
$DIG axfr signing.test -p ${PORT} @10.53.0.1 >dig.out.at$et
awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i
lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l)
if [ ${et} -ne 0 -a ${lines} -ne 1008 ]; then
echo_i "failed"
status=$((status + 1))
fi
sleep 5
now=$(date +%s)
done
echo_i "exit status: $status"

6
bin/tests/system/dyndb/prereq.sh
View file

@ -13,9 +13,9 @@
. ../conf.sh
$FEATURETEST --tsan && {
echo_i "TSAN - skipping dyndb test"
exit 255
$FEATURETEST --tsan && {
echo_i "TSAN - skipping dyndb test"
exit 255
}
exit 0

136
bin/tests/system/dyndb/tests.sh
View file

@ -22,99 +22,97 @@ DIGOPTS="@10.53.0.1 -p ${PORT}"
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
newtest() {
n=$((n + 1))
echo_i "${1} (${n})"
ret=0
n=$((n + 1))
echo_i "${1} (${n})"
ret=0
}
test_add() {
host="$1"
type="$2"
ip="$3"
host="$1"
type="$2"
ip="$3"
cat <<EOF > ns1/update.txt
cat <<EOF >ns1/update.txt
server 10.53.0.1 ${PORT}
ttl 86400
update add $host $type $ip
send
EOF
newtest "adding $host $type $ip"
$NSUPDATE ns1/update.txt > /dev/null 2>&1 || {
[ "$should_fail" ] || \
echo_i "update failed for $host $type $ip"
return 1
}
newtest "adding $host $type $ip"
$NSUPDATE ns1/update.txt >/dev/null 2>&1 || {
[ "$should_fail" ] \
|| echo_i "update failed for $host $type $ip"
return 1
}
out=$($DIG $DIGOPTS +noall +answer -t $type -q $host)
echo $out > added.a.out.$n
lines=$(echo "$out" | grep "$ip" | wc -l)
[ $lines -eq 1 ] || {
[ "$should_fail" ] || \
echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
out=$($DIG $DIGOPTS +noall +answer -t $type -q $host)
echo $out >added.a.out.$n
lines=$(echo "$out" | grep "$ip" | wc -l)
[ $lines -eq 1 ] || {
[ "$should_fail" ] \
|| echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10
do
out=$($DIG $DIGOPTS +noall +answer -x $ip)
echo $out > added.ptr.out.$n
lines=$(echo "$out" | grep "$host" | wc -l)
[ $lines -eq 1 ] && break;
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 1 ] || {
[ "$should_fail" ] || \
echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10; do
out=$($DIG $DIGOPTS +noall +answer -x $ip)
echo $out >added.ptr.out.$n
lines=$(echo "$out" | grep "$host" | wc -l)
[ $lines -eq 1 ] && break
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 1 ] || {
[ "$should_fail" ] \
|| echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
return 0
return 0
}
test_del() {
host="$1"
type="$2"
host="$1"
type="$2"
ip=$($DIG $DIGOPTS +short $host $type)
ip=$($DIG $DIGOPTS +short $host $type)
cat <<EOF > ns1/update.txt
cat <<EOF >ns1/update.txt
server 10.53.0.1 ${PORT}
update del $host $type
send
EOF
newtest "deleting $host $type (was $ip)"
$NSUPDATE ns1/update.txt > /dev/null 2>&1 || {
[ "$should_fail" ] || \
echo_i "update failed deleting $host $type"
return 1
}
newtest "deleting $host $type (was $ip)"
$NSUPDATE ns1/update.txt >/dev/null 2>&1 || {
[ "$should_fail" ] \
|| echo_i "update failed deleting $host $type"
return 1
}
out=$($DIG $DIGOPTS +noall +answer -t $type -q $host)
echo $out > deleted.a.out.$n
lines=$(echo "$out" | grep "$ip" | wc -l)
[ $lines -eq 0 ] || {
[ "$should_fail" ] || \
echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
out=$($DIG $DIGOPTS +noall +answer -t $type -q $host)
echo $out >deleted.a.out.$n
lines=$(echo "$out" | grep "$ip" | wc -l)
[ $lines -eq 0 ] || {
[ "$should_fail" ] \
|| echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10
do
out=$($DIG $DIGOPTS +noall +answer -x $ip)
echo $out > deleted.ptr.out.$n
lines=$(echo "$out" | grep "$host" | wc -l)
[ $lines -eq 0 ] && break
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 0 ] || {
[ "$should_fail" ] || \
echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10; do
out=$($DIG $DIGOPTS +noall +answer -x $ip)
echo $out >deleted.ptr.out.$n
lines=$(echo "$out" | grep "$host" | wc -l)
[ $lines -eq 0 ] && break
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 0 ] || {
[ "$should_fail" ] \
|| echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
return 0
return 0
}
test_add test1.ipv4.example.nil. A "10.53.0.10" || ret=1
@ -142,8 +140,8 @@ test_del test4.ipv6.example.nil. AAAA || ret=1
status=$((status + ret))
newtest "checking parameter logging"
grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run > /dev/null || ret=1
grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run > /dev/null || ret=1
grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run >/dev/null || ret=1
grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run >/dev/null || ret=1
[ $ret -eq 1 ] && echo_i "failed"
status=$((status + ret))

34
bin/tests/system/ecdsa/ns1/sign.sh
View file

@ -24,34 +24,34 @@ echo_i "ns1/sign.sh"
cp $infile $zonefile
if [ -f ../ecdsa256-supported.file ]; then
zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
cat "$ksk256.key" "$zsk256.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256
zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
cat "$ksk256.key" "$zsk256.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk256.key" >>dsset-256
fi
if [ -f ../ecdsa384-supported.file ]; then
zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
cat "$ksk384.key" "$zsk384.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256
zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
cat "$ksk384.key" "$zsk384.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk384.key" >>dsset-256
fi
# Configure the resolving server with a static key.
if [ -f ../ecdsa256-supported.file ]; then
keyfile_to_static_ds $ksk256 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk256 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
keyfile_to_static_ds $ksk384 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk384 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
fi
if [ -f ../ecdsa384-supported.file ]; then
keyfile_to_static_ds $ksk384 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk384 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
else
keyfile_to_static_ds $ksk256 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk256 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
fi
$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

8
bin/tests/system/ecdsa/setup.sh
View file

@ -16,17 +16,17 @@ set -e
. ../conf.sh
if $SHELL ../testcrypto.sh ecdsap256sha256; then
echo "yes" > ecdsa256-supported.file
echo "yes" >ecdsa256-supported.file
fi
if $SHELL ../testcrypto.sh ecdsap384sha384; then
echo "yes" > ecdsa384-supported.file
echo "yes" >ecdsa384-supported.file
fi
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
(
cd ns1
$SHELL sign.sh
cd ns1
$SHELL sign.sh
)

42
bin/tests/system/ecdsa/tests.sh
View file

@ -19,35 +19,35 @@ status=0
n=0
dig_with_opts() {
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
if [ -f ecdsa256-supported.file ]; then
n=$((n+1))
echo_i "checking that ECDSA256 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking that ECDSA256 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm ECDSA256 not supported, skipping test"
echo_i "algorithm ECDSA256 not supported, skipping test"
fi
if [ -f ecdsa384-supported.file ]; then
n=$((n+1))
echo_i "checking that ECDSA384 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking that ECDSA384 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm ECDSA384 not supported, skipping test"
echo_i "algorithm ECDSA384 not supported, skipping test"
fi
echo_i "exit status: $status"

34
bin/tests/system/eddsa/ns1/sign.sh
View file

@ -24,34 +24,34 @@ echo_i "ns1/sign.sh"
cp $infile $zonefile
if [ -f ../ed25519-supported.file ]; then
zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256
zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
cat "$ksk25519.key" "$zsk25519.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk25519.key" >>dsset-256
fi
if [ -f ../ed448-supported.file ]; then
zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
cat "$ksk448.key" "$zsk448.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256
zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
cat "$ksk448.key" "$zsk448.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk448.key" >>dsset-256
fi
# Configure the resolving server with a static key.
if [ -f ../ed25519-supported.file ]; then
keyfile_to_static_ds $ksk25519 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk25519 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
keyfile_to_static_ds $ksk448 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk448 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
fi
if [ -f ../ed448-supported.file ]; then
keyfile_to_static_ds $ksk448 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk448 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
else
keyfile_to_static_ds $ksk25519 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk25519 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
fi
$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

13
bin/tests/system/eddsa/ns2/sign.sh
View file

@ -27,12 +27,11 @@ cp $infile $zonefile
if [ -f ../ed25519-supported.file ]; then
for i in Xexample.com.+015+03613 Xexample.com.+015+35217
do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile"
done
for i in Xexample.com.+015+03613 Xexample.com.+015+35217; do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile"
done
fi
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

13
bin/tests/system/eddsa/ns3/sign.sh
View file

@ -26,12 +26,11 @@ echo_i "ns3/sign.sh"
cp $infile $zonefile
if [ -f ../ed448-supported.file ]; then
for i in Xexample.com.+016+09713 Xexample.com.+016+38353
do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile"
done
for i in Xexample.com.+016+09713 Xexample.com.+016+38353; do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile"
done
fi
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

4
bin/tests/system/eddsa/prereq.sh
View file

@ -17,10 +17,10 @@ set -e
supported=0
if $SHELL ../testcrypto.sh ed25519; then
supported=1
supported=1
fi
if $SHELL ../testcrypto.sh ed448; then
supported=1
supported=1
fi
[ "$supported" -eq 1 ] || exit 1

16
bin/tests/system/eddsa/setup.sh
View file

@ -16,11 +16,11 @@ set -e
. ../conf.sh
if $SHELL ../testcrypto.sh ed25519; then
echo "yes" > ed25519-supported.file
echo "yes" >ed25519-supported.file
fi
if $SHELL ../testcrypto.sh ed448; then
echo "yes" > ed448-supported.file
echo "yes" >ed448-supported.file
fi
copy_setports ns1/named.conf.in ns1/named.conf
@ -28,14 +28,14 @@ copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
(
cd ns1
$SHELL sign.sh
cd ns1
$SHELL sign.sh
)
(
cd ns2
$SHELL sign.sh
cd ns2
$SHELL sign.sh
)
(
cd ns3
$SHELL sign.sh
cd ns3
$SHELL sign.sh
)

100
bin/tests/system/eddsa/tests.sh
View file

@ -19,68 +19,68 @@ status=0
n=0
dig_with_opts() {
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
if [ -f ed25519-supported.file ]; then
# Check the example. domain
n=$((n+1))
echo_i "checking that Ed25519 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check the example. domain
n=$((n + 1))
echo_i "checking that Ed25519 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# Check test vectors (RFC 8080 + errata)
n=$((n+1))
echo_i "checking that Ed25519 test vectors match ($n)"
ret=0
grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1
grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1
grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1
grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check test vectors (RFC 8080 + errata)
n=$((n + 1))
echo_i "checking that Ed25519 test vectors match ($n)"
ret=0
grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed >/dev/null || ret=1
grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed >/dev/null || ret=1
grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed >/dev/null || ret=1
grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm Ed25519 not supported, skipping vectors match test"
echo_i "algorithm Ed25519 not supported, skipping vectors match test"
fi
n=$((n+1))
n=$((n + 1))
ret=0
if [ -f ed448-supported.file ]; then
# Check the example. domain
n=$((n+1))
echo_i "checking that Ed448 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check the example. domain
n=$((n + 1))
echo_i "checking that Ed448 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# Check test vectors (RFC 8080 + errata)
n=$((n+1))
echo_i "checking that Ed448 test vectors match ($n)"
ret=0
grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1
grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1
grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1
grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1
grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1
# Check test vectors (RFC 8080 + errata)
n=$((n + 1))
echo_i "checking that Ed448 test vectors match ($n)"
ret=0
grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed >/dev/null || ret=1
grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed >/dev/null || ret=1
grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed >/dev/null || ret=1
grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed >/dev/null || ret=1
grep 'WKsJlwEA' ns3/example.com.db.signed >/dev/null || ret=1
grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1
grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1
grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1
grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1
grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed >/dev/null || ret=1
grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed >/dev/null || ret=1
grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed >/dev/null || ret=1
grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed >/dev/null || ret=1
grep 'ZmQ0YQUA' ns3/example.com.db.signed >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm Ed448 not supported, skipping vectors match test"
echo_i "algorithm Ed448 not supported, skipping vectors match test"
fi
echo_i "exit status: $status"

143
bin/tests/system/ednscompliance/tests.sh
View file

@ -24,88 +24,163 @@ zone=.
n=$((n + 1))
echo_i "check +edns=100 sets version 100 ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone > dig.out$n || ret=1
grep "EDNS: version: 100," dig.out$n > /dev/null || { ret=1; reason="version"; }
$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone >dig.out$n || ret=1
grep "EDNS: version: 100," dig.out$n >/dev/null || {
ret=1
reason="version"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
ret=0 reason=
echo_i "check +ednsopt=100 adds option 100 ($n)"
$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone > dig.out$n || ret=1
grep "; OPT=100" dig.out$n > /dev/null || { ret=1; reason="option"; }
$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone >dig.out$n || ret=1
grep "; OPT=100" dig.out$n >/dev/null || {
ret=1
reason="option"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check +ednsflags=0x80 sets flags to 0x0080 ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone > dig.out$n || ret=1
grep "MBZ: 0x0080," dig.out$n > /dev/null || { ret=1; reason="flags"; }
$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone >dig.out$n || ret=1
grep "MBZ: 0x0080," dig.out$n >/dev/null || {
ret=1
reason="flags"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Unknown EDNS version ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone > dig.out$n || ret=1
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone >dig.out$n || ret=1
grep "status: BADVERS," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "IN.SOA." dig.out$n >/dev/null && {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Unknown EDNS option ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone > dig.out$n || ret=1
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; }
grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; }
$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone >dig.out$n || ret=1
grep "status: NOERROR," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "; OPT=100" dig.out$n >/dev/null && {
ret=1
reason="option"
}
grep "IN.SOA." dig.out$n >/dev/null || {
ret=1
reason="nosoa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Unknown EDNS version + option ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone > dig.out$n || ret=1
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone >dig.out$n || ret=1
grep "status: BADVERS," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "; OPT=100" dig.out$n >/dev/null && {
ret=1
reason="option"
}
grep "IN.SOA." dig.out$n >/dev/null && {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed: $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Unknown EDNS flag ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone > dig.out$n || ret=1
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; }
grep ".IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; }
$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone >dig.out$n || ret=1
grep "status: NOERROR," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && {
ret=1
reason="mbz"
}
grep ".IN.SOA." dig.out$n >/dev/null || {
ret=1
reason="nosoa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Unknown EDNS version + flag ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone > dig.out$n || ret=1
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone >dig.out$n || ret=1
grep "status: BADVERS," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && {
ret=1
reason="mbz"
}
grep "IN.SOA." dig.out$n >/dev/null && {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "DiG's EDNS negotiation ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone > dig.out$n || ret=1
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone >dig.out$n || ret=1
grep "status: NOERROR," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "IN.SOA." dig.out$n >/dev/null || {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=$((status + ret))
n=$((n + 1))

8
bin/tests/system/emptyzones/tests.sh
View file

@ -27,18 +27,18 @@ ret=0
rndc_reload ns1 10.53.0.1
copy_setports ns1/named2.conf.in ns1/named.conf
$RNDCCMD 10.53.0.1 reload > /dev/null || ret=1
$RNDCCMD 10.53.0.1 reload >/dev/null || ret=1
sleep 5
$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 > /dev/null || ret=1
$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that allow-transfer { none; } works ($n)"
ret=0
$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all > dig.out.test$n || ret=1
grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all >dig.out.test$n || ret=1
grep "status: REFUSED" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))

2
bin/tests/system/enginepkcs11/prereq.sh
View file

@ -14,7 +14,7 @@
. ../conf.sh
if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then
exit 0
exit 0
fi
echo_i "skip: softhsm2-util not available"

137
bin/tests/system/enginepkcs11/setup.sh
View file

@ -18,102 +18,99 @@ set -e
softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
printf '%s' "${HSMPIN:-1234}" > pin
printf '%s' "${HSMPIN:-1234}" >pin
PWD=$(pwd)
copy_setports ns1/named.conf.in ns1/named.conf
keygen() {
type="$1"
bits="$2"
zone="$3"
id="$4"
type="$1"
bits="$2"
zone="$3"
id="$4"
label="${id}-${zone}"
p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}')
pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id 2> pkcs11-tool.err.$zone.$id || return 1
label="${id}-${zone}"
p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}')
pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1
}
keyfromlabel() {
alg="$1"
zone="$2"
id="$3"
dir="$4"
shift 4
alg="$1"
zone="$2"
id="$3"
dir="$4"
shift 4
$KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2> keyfromlabel.err.$zone.$id || return 1
cat keyfromlabel.out.$zone.$id
$KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
cat keyfromlabel.out.$zone.$id
}
# Setup ns1.
dir="ns1"
infile="${dir}/template.db.in"
for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1
# Edwards curves are not yet supported by OpenSC
# ed25519:EC:edwards25519 ed448:EC:edwards448
do
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC
# ed25519:EC:edwards25519 ed448:EC:edwards448
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
if $SHELL ../testcrypto.sh $alg; then
zone="$alg.example"
zonefile="zone.$alg.example.db"
ret=0
if $SHELL ../testcrypto.sh $alg; then
zone="$alg.example"
zonefile="zone.$alg.example.db"
ret=0
echo_i "Generate keys $alg $type:$bits for zone $zone"
keygen $type $bits $zone enginepkcs11-zsk || ret=1
keygen $type $bits $zone enginepkcs11-ksk || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Generate keys $alg $type:$bits for zone $zone"
keygen $type $bits $zone enginepkcs11-zsk || ret=1
keygen $type $bits $zone enginepkcs11-ksk || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Get ZSK $alg $zone $type:$bits"
zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir)
test -z "$zsk1" && exit 1
echo_i "Get ZSK $alg $zone $type:$bits"
zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir)
test -z "$zsk1" && exit 1
echo_i "Get KSK $alg $zone $type:$bits"
ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK)
test -z "$ksk1" && exit 1
echo_i "Get KSK $alg $zone $type:$bits"
ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK)
test -z "$ksk1" && exit 1
(
cd $dir
zskid1=$(keyfile_to_key_id $zsk1)
kskid1=$(keyfile_to_key_id $ksk1)
echo "$zskid1" > $zone.zskid1
echo "$kskid1" > $zone.kskid1
)
(
cd $dir
zskid1=$(keyfile_to_key_id $zsk1)
kskid1=$(keyfile_to_key_id $ksk1)
echo "$zskid1" >$zone.zskid1
echo "$kskid1" >$zone.kskid1
)
echo_i "Sign zone with $ksk1 $zsk1"
cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" > "${dir}/${zonefile}"
$SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" > signer.out.$zone || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Sign zone with $ksk1 $zsk1"
cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}"
$SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Generate successor keys $alg $type:$bits for zone $zone"
keygen $type $bits $zone enginepkcs11-zsk2 || ret=1
keygen $type $bits $zone enginepkcs11-ksk2 || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Generate successor keys $alg $type:$bits for zone $zone"
keygen $type $bits $zone enginepkcs11-zsk2 || ret=1
keygen $type $bits $zone enginepkcs11-ksk2 || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Get ZSK $alg $id-$zone $type:$bits"
zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir)
test -z "$zsk2" && exit 1
echo_i "Get ZSK $alg $id-$zone $type:$bits"
zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir)
test -z "$zsk2" && exit 1
echo_i "Get KSK $alg $id-$zone $type:$bits"
ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK)
test -z "$ksk2" && exit 1
echo_i "Get KSK $alg $id-$zone $type:$bits"
ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK)
test -z "$ksk2" && exit 1
(
cd $dir
zskid2=$(keyfile_to_key_id $zsk2)
kskid2=$(keyfile_to_key_id $ksk2)
echo "$zskid2" > $zone.zskid2
echo "$kskid2" > $zone.kskid2
cp "${zsk2}.key" "${zsk2}.zsk2"
cp "${ksk2}.key" "${ksk2}.ksk2"
)
(
cd $dir
zskid2=$(keyfile_to_key_id $zsk2)
kskid2=$(keyfile_to_key_id $ksk2)
echo "$zskid2" >$zone.zskid2
echo "$kskid2" >$zone.kskid2
cp "${zsk2}.key" "${zsk2}.zsk2"
cp "${ksk2}.key" "${ksk2}.ksk2"
)
echo_i "Add zone $zone to named.conf"
cat >> "${dir}/named.conf" <<EOF
echo_i "Add zone $zone to named.conf"
cat >>"${dir}/named.conf" <<EOF
zone "$zone" {
type primary;
file "${zonefile}.signed";
@ -121,5 +118,5 @@ zone "$zone" {
};
EOF
fi
fi
done

211
bin/tests/system/enginepkcs11/tests.sh
View file

@ -23,65 +23,62 @@ ret=0
n=0
dig_with_opts() (
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
)
# Perform tests inside ns1 dir
cd ns1
for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1
# Edwards curves are not yet supported by OpenSC
# ed25519:EC:edwards25519 ed448:EC:edwards448
do
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
zone="${alg}.example"
zonefile="zone.${zone}.db.signed"
ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC
# ed25519:EC:edwards25519 ed448:EC:edwards448
alg=$(echo "$algtypebits" | cut -f 1 -d :)
type=$(echo "$algtypebits" | cut -f 2 -d :)
bits=$(echo "$algtypebits" | cut -f 3 -d :)
zone="${alg}.example"
zonefile="zone.${zone}.db.signed"
if [ ! -f $zonefile ]; then
echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}"
continue
fi
if [ ! -f $zonefile ]; then
echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}"
continue
fi
# Basic checks if setup was successful.
n=$((n+1))
ret=0
echo_i "Test key generation was successful for $zone ($n)"
count=$(ls K*.key | grep "K${zone}" | wc -l)
test "$count" -eq 4 || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
status=$((status+ret))
# Basic checks if setup was successful.
n=$((n + 1))
ret=0
echo_i "Test key generation was successful for $zone ($n)"
count=$(ls K*.key | grep "K${zone}" | wc -l)
test "$count" -eq 4 || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)"
status=$((status + ret))
n=$((n+1))
ret=0
echo_i "Test zone signing was successful for $zone ($n)"
$VERIFY -z -o $zone "${zonefile}" > verify.out.$zone.$n 2>&1 || ret=1
test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
status=$((status+ret))
n=$((n + 1))
ret=0
echo_i "Test zone signing was successful for $zone ($n)"
$VERIFY -z -o $zone "${zonefile}" >verify.out.$zone.$n 2>&1 || ret=1
test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)"
status=$((status + ret))
# Test inline signing with keys stored in engine.
zskid1=$(cat "${zone}.zskid1")
zskid2=$(cat "${zone}.zskid2")
# Test inline signing with keys stored in engine.
zskid1=$(cat "${zone}.zskid1")
zskid2=$(cat "${zone}.zskid2")
n=$((n+1))
ret=0
echo_i "Test inline signing for $zone ($n)"
dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || ret=1
awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 1 || return 1
grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)"
status=$((status+ret))
n=$((n + 1))
ret=0
echo_i "Test inline signing for $zone ($n)"
dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || ret=1
awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 1 || return 1
grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)"
status=$((status + ret))
n=$((n+1))
ret=0
echo_i "Dynamically update $zone, add new zsk ($n)"
zsk2=$(grep -v ';' K${zone}.*.zsk2)
cat > "update.cmd.zsk.$zone.$n" <<EOF
n=$((n + 1))
ret=0
echo_i "Dynamically update $zone, add new zsk ($n)"
zsk2=$(grep -v ';' K${zone}.*.zsk2)
cat >"update.cmd.zsk.$zone.$n" <<EOF
server 10.53.0.1 $PORT
ttl 300
zone $zone
@ -89,47 +86,47 @@ update add $zsk2
send
EOF
$NSUPDATE -v > "update.log.zsk.$zone.$n" < "update.cmd.zsk.$zone.$n" || ret=1
test "$ret" -eq 0 || echo_i "failed (update failed)"
status=$((status+ret))
$NSUPDATE -v >"update.log.zsk.$zone.$n" <"update.cmd.zsk.$zone.$n" || ret=1
test "$ret" -eq 0 || echo_i "failed (update failed)"
status=$((status + ret))
n=$((n+1))
ret=0
echo_i "Test DNSKEY response for $zone after inline signing ($n)"
_dig_dnskey() (
dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
test $count -eq 3
)
retry_quiet 10 _dig_dnskey || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)"
status=$((status+ret))
n=$((n + 1))
ret=0
echo_i "Test DNSKEY response for $zone after inline signing ($n)"
_dig_dnskey() (
dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
test $count -eq 3
)
retry_quiet 10 _dig_dnskey || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)"
status=$((status + ret))
n=$((n+1))
ret=0
echo_i "Test SOA response for $zone after inline signing ($n)"
_dig_soa() (
dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || return 1
awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 2 || return 1
grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
grep -w "$zskid2" dig.out.keyids.$zone.$n > /dev/null || return 1
return 0
)
retry_quiet 10 _dig_soa || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)"
status=$((status+ret))
n=$((n + 1))
ret=0
echo_i "Test SOA response for $zone after inline signing ($n)"
_dig_soa() (
dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1
awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 2 || return 1
grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
grep -w "$zskid2" dig.out.keyids.$zone.$n >/dev/null || return 1
return 0
)
retry_quiet 10 _dig_soa || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)"
status=$((status + ret))
# Test inline signing with keys stored in engine (key signing).
kskid1=$(cat "${zone}.kskid1")
kskid2=$(cat "${zone}.kskid2")
# Test inline signing with keys stored in engine (key signing).
kskid1=$(cat "${zone}.kskid1")
kskid2=$(cat "${zone}.kskid2")
n=$((n+1))
ret=0
echo_i "Dynamically update $zone, add new ksk ($n)"
ksk2=$(grep -v ';' K${zone}.*.ksk2)
cat > "update.cmd.ksk.$zone.$n" <<EOF
n=$((n + 1))
ret=0
echo_i "Dynamically update $zone, add new ksk ($n)"
ksk2=$(grep -v ';' K${zone}.*.ksk2)
cat >"update.cmd.ksk.$zone.$n" <<EOF
server 10.53.0.1 $PORT
ttl 300
zone $zone
@ -137,40 +134,40 @@ update add $ksk2
send
EOF
$NSUPDATE -v > "update.log.ksk.$zone.$n" < "update.cmd.ksk.$zone.$n" || ret=1
test "$ret" -eq 0 || echo_i "failed (update failed)"
status=$((status+ret))
$NSUPDATE -v >"update.log.ksk.$zone.$n" <"update.cmd.ksk.$zone.$n" || ret=1
test "$ret" -eq 0 || echo_i "failed (update failed)"
status=$((status + ret))
n=$((n+1))
ret=0
echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)"
_dig_dnskey_ksk() (
dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
test $count -eq 4 || return 1
awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n > dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 2 || return 1
grep -w "$kskid1" dig.out.keyids.$zone.$n > /dev/null || return 1
grep -w "$kskid2" dig.out.keyids.$zone.$n > /dev/null || return 1
return 0
)
retry_quiet 10 _dig_dnskey_ksk || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
status=$((status+ret))
n=$((n + 1))
ret=0
echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)"
_dig_dnskey_ksk() (
dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1
count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n)
test $count -eq 4 || return 1
awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n >dig.out.keyids.$zone.$n || return 1
numsigs=$(cat dig.out.keyids.$zone.$n | wc -l)
test $numsigs -eq 2 || return 1
grep -w "$kskid1" dig.out.keyids.$zone.$n >/dev/null || return 1
grep -w "$kskid2" dig.out.keyids.$zone.$n >/dev/null || return 1
return 0
)
retry_quiet 10 _dig_dnskey_ksk || ret=1
test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)"
status=$((status + ret))
done
# Go back to main test dir.
cd ..
n=$((n+1))
n=$((n + 1))
ret=0
echo_i "Checking for assertion failure in pk11_numbits()"
$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
dig_with_opts @10.53.0.1 version.bind. CH TXT >dig.out.pk11_numbits || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

7
bin/tests/system/fetchlimit/prereq.sh
View file

@ -13,10 +13,9 @@
. ../conf.sh
if ! ${PERL} -MNet::DNS -e ''
then
echo_i "perl Net::DNS module is required"
exit 1
if ! ${PERL} -MNet::DNS -e ''; then
echo_i "perl Net::DNS module is required"
exit 1
fi
exit 0

189
bin/tests/system/fetchlimit/tests.sh
View file

@ -18,44 +18,44 @@ set -e
DIGCMD="$DIG @10.53.0.3 -p ${PORT} +tcp +tries=1 +time=1"
rndccmd() (
"$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@"
"$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@"
)
burst() {
server=${1}
num=${4:-20}
rm -f burst.input.$$
while [ $num -gt 0 ]; do
num=$((num-1))
if [ "${5}" = "dup" ]; then
# burst with duplicate queries
echo "${2}${3}.lamesub.example A" >> burst.input.$$
else
# burst with unique queries
echo "${num}${2}${3}.lamesub.example A" >> burst.input.$$
fi
done
$PERL ../ditch.pl -p ${PORT} -s ${server} burst.input.$$
rm -f burst.input.$$
server=${1}
num=${4:-20}
rm -f burst.input.$$
while [ $num -gt 0 ]; do
num=$((num - 1))
if [ "${5}" = "dup" ]; then
# burst with duplicate queries
echo "${2}${3}.lamesub.example A" >>burst.input.$$
else
# burst with unique queries
echo "${num}${2}${3}.lamesub.example A" >>burst.input.$$
fi
done
$PERL ../ditch.pl -p ${PORT} -s ${server} burst.input.$$
rm -f burst.input.$$
}
stat() {
clients=$(rndccmd ${1} status | grep "recursive clients" |
sed 's;.*: \([^/][^/]*\)/.*;\1;')
echo_i "clients: $clients"
[ "$clients" = "" ] && return 1
[ "$clients" -ge $2 ] || return 1
[ "$clients" -le $3 ] || return 1
return 0
clients=$(rndccmd ${1} status | grep "recursive clients" \
| sed 's;.*: \([^/][^/]*\)/.*;\1;')
echo_i "clients: $clients"
[ "$clients" = "" ] && return 1
[ "$clients" -ge $2 ] || return 1
[ "$clients" -le $3 ] || return 1
return 0
}
_wait_for_message() (
nextpartpeek "$1" > wait_for_message.$n
grep -F "$2" wait_for_message.$n >/dev/null
nextpartpeek "$1" >wait_for_message.$n
grep -F "$2" wait_for_message.$n >/dev/null
)
wait_for_message() (
retry_quiet 20 _wait_for_message "$@"
retry_quiet 20 _wait_for_message "$@"
)
n=0
@ -68,17 +68,17 @@ ret=0
rndccmd 10.53.0.3 flush
touch ans4/norespond
for try in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
burst 10.53.0.3 a $try
# fetches-per-server is at 400, but at 20qps against a lame server,
# we'll reach 200 at the tenth second, and the quota should have been
# tuned to less than that by then.
[ $try -le 5 ] && low=$((try*10))
stat 10.53.0.3 20 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
burst 10.53.0.3 a $try
# fetches-per-server is at 400, but at 20qps against a lame server,
# we'll reach 200 at the tenth second, and the quota should have been
# tuned to less than that by then.
[ $try -le 5 ] && low=$((try * 10))
stat 10.53.0.3 20 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "dumping ADB data ($n)"
@ -90,7 +90,7 @@ set -- $info
quota=$4
[ ${4:-200} -lt 200 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking servfail statistics ($n)"
@ -98,8 +98,8 @@ ret=0
rm -f ns3/named.stats
rndccmd 10.53.0.3 stats
for try in 1 2 3 4 5; do
[ -f ns3/named.stats ] && break
sleep 1
[ -f ns3/named.stats ] && break
sleep 1
done
sspill=$(grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/')
[ -z "$sspill" ] && sspill=0
@ -107,20 +107,20 @@ fails=$(grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9
[ -z "$fails" ] && fails=0
[ "$fails" -ge "$sspill" ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking lame server recovery ($n)"
ret=0
test -f ans4/norespond && rm -f ans4/norespond
for try in 1 2 3 4 5; do
burst 10.53.0.3 b $try
stat 10.53.0.3 0 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
burst 10.53.0.3 b $try
stat 10.53.0.3 0 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "dumping ADB data ($n)"
@ -132,19 +132,19 @@ set -- $info
[ ${4:-${quota}} -lt $quota ] || ret=1
quota=$4
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking lame server recovery (continued) ($n)"
ret=0
for try in 1 2 3 4 5 6 7 8 9 10; do
burst 10.53.0.3 c $try
stat 10.53.0.3 0 20 || ret=1
[ $ret -eq 1 ] && break
sleep 1
burst 10.53.0.3 c $try
stat 10.53.0.3 0 20 || ret=1
[ $ret -eq 1 ] && break
sleep 1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "dumping ADB data ($n)"
@ -156,7 +156,7 @@ set -- $info
[ ${4:-${quota}} -gt $quota ] || ret=1
quota=$4
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
copy_setports ns3/named2.conf.in ns3/named.conf
rndc_reconfig ns3 10.53.0.3
@ -168,20 +168,20 @@ fail=0
success=0
touch ans4/norespond
for try in 1 2 3 4 5; do
burst 10.53.0.3 b $try 300
$DIGCMD a ${try}.example > dig.out.ns3.$n.$try
grep "status: NOERROR" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
success=$((success+1))
grep "status: SERVFAIL" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
fail=$(($fail+1))
stat 10.53.0.3 30 50 || ret=1
[ $ret -eq 1 ] && break
rndccmd 10.53.0.3 recursing 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
burst 10.53.0.3 b $try 300
$DIGCMD a ${try}.example >dig.out.ns3.$n.$try
grep "status: NOERROR" dig.out.ns3.$n.$try >/dev/null 2>&1 \
&& success=$((success + 1))
grep "status: SERVFAIL" dig.out.ns3.$n.$try >/dev/null 2>&1 \
&& fail=$(($fail + 1))
stat 10.53.0.3 30 50 || ret=1
[ $ret -eq 1 ] && break
rndccmd 10.53.0.3 recursing 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
done
echo_i "$success successful valid queries, $fail SERVFAIL"
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking drop statistics ($n)"
@ -189,8 +189,8 @@ ret=0
rm -f ns3/named.stats
rndccmd 10.53.0.3 stats
for try in 1 2 3 4 5; do
[ -f ns3/named.stats ] && break
sleep 1
[ -f ns3/named.stats ] && break
sleep 1
done
zspill=$(grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/')
[ -z "$zspill" ] && zspill=0
@ -198,7 +198,7 @@ drops=$(grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.
[ -z "$drops" ] && drops=0
[ "$drops" -ge "$zspill" ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
copy_setports ns3/named3.conf.in ns3/named.conf
rndc_reconfig ns3 10.53.0.3
@ -211,23 +211,32 @@ exceeded=0
success=0
touch ans4/norespond
for try in 1 2 3 4 5; do
burst 10.53.0.3 b $try 400
$DIGCMD +time=2 a ${try}.example > dig.out.ns3.$n.$try
stat 10.53.0.3 1 400 || exceeded=$((exceeded + 1))
grep "status: NOERROR" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
success=$((success+1))
grep "status: SERVFAIL" dig.out.ns3.$n.$try > /dev/null 2>&1 && \
fail=$(($fail+1))
sleep 1
burst 10.53.0.3 b $try 400
$DIGCMD +time=2 a ${try}.example >dig.out.ns3.$n.$try
stat 10.53.0.3 1 400 || exceeded=$((exceeded + 1))
grep "status: NOERROR" dig.out.ns3.$n.$try >/dev/null 2>&1 \
&& success=$((success + 1))
grep "status: SERVFAIL" dig.out.ns3.$n.$try >/dev/null 2>&1 \
&& fail=$(($fail + 1))
sleep 1
done
echo_i "$success successful valid queries (expected 5)"
[ "$success" -eq 5 ] || { echo_i "failed"; ret=1; }
[ "$success" -eq 5 ] || {
echo_i "failed"
ret=1
}
echo_i "$fail SERVFAIL responses (expected 0)"
[ "$fail" -eq 0 ] || { echo_i "failed"; ret=1; }
[ "$fail" -eq 0 ] || {
echo_i "failed"
ret=1
}
echo_i "clients count exceeded 400 on $exceeded trials (expected 0)"
[ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; }
[ "$exceeded" -eq 0 ] || {
echo_i "failed"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking drop statistics ($n)"
@ -239,7 +248,7 @@ wait_for_log 5 "queries dropped due to recursive client limit" ns3/named.stats |
drops=$(grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/')
[ "${drops:-0}" -ne 0 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
nextpart ns5/named.run >/dev/null
@ -248,12 +257,12 @@ echo_i "checking clients are dropped at the clients-per-query limit ($n)"
ret=0
test -f ans4/norespond && rm -f ans4/norespond
for try in 1 2 3 4 5; do
burst 10.53.0.5 latency $try 20 "dup"
sleep 1
burst 10.53.0.5 latency $try 20 "dup"
sleep 1
done
wait_for_message ns5/named.run "clients-per-query increased to 10" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking drop statistics ($n)"
@ -261,8 +270,8 @@ ret=0
rm -f ns5/named.stats
rndccmd 10.53.0.5 stats
for try in 1 2 3 4 5; do
[ -f ns5/named.stats ] && break
sleep 1
[ -f ns5/named.stats ] && break
sleep 1
done
zspill=$(grep 'spilled due to clients per query' ns5/named.stats | sed 's/ *\([0-9][0-9]*\) spilled.*/\1/')
[ -z "$zspill" ] && zspill=0
@ -276,7 +285,7 @@ expected=55
[ "$zspill" -eq "$expected" ] || ret=1
echo_i "$zspill clients spilled (expected $expected)"
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "stop ns5"
stop_server --use-rndc --port ${CONTROLPORT} ns5
@ -291,12 +300,12 @@ echo_i "checking clients are dropped at the clients-per-query limit with stale-a
ret=0
test -f ans4/norespond && rm -f ans4/norespond
for try in 1 2 3 4 5; do
burst 10.53.0.5 latency $try 20 "dup"
sleep 1
burst 10.53.0.5 latency $try 20 "dup"
sleep 1
done
wait_for_message ns5/named.run "clients-per-query increased to 10" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n + 1))
echo_i "checking drop statistics ($n)"
@ -304,8 +313,8 @@ ret=0
rm -f ns5/named.stats
rndccmd 10.53.0.5 stats
for try in 1 2 3 4 5; do
[ -f ns5/named.stats ] && break
sleep 1
[ -f ns5/named.stats ] && break
sleep 1
done
zspill=$(grep 'spilled due to clients per query' ns5/named.stats | sed 's/ *\([0-9][0-9]*\) spilled.*/\1/')
[ -z "$zspill" ] && zspill=0
@ -319,7 +328,7 @@ expected=55
[ "$zspill" -eq "$expected" ] || ret=1
echo_i "$zspill clients spilled (expected $expected)"
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

8
bin/tests/system/filter-aaaa/ns1/sign.sh
View file

@ -20,15 +20,15 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >keygen.out | cat_i
keyname=$(cat keygen.out)
rm -f keygen.out
keyfile_to_static_ds $keyname > trusted.conf
keyfile_to_static_ds $keyname >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns5/trusted.conf
$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err
$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err
echo_i "signed zone '$zone'"

6
bin/tests/system/filter-aaaa/ns4/sign.sh
View file

@ -20,8 +20,8 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i
$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err
$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err
echo_i "signed zone '$zone'"

1011
bin/tests/system/filter-aaaa/tests.sh
View file

File diff suppressed because it is too large Load diff

24
bin/tests/system/formerr/tests.sh
View file

@ -18,29 +18,29 @@ set -e
status=0
echo_i "test name too long"
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong > nametoolong.out
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong >nametoolong.out
ans=$(grep got: nametoolong.out)
if [ "${ans}" != "got: 000080010000000000000000" ];
then
echo_i "failed"; status=$((status + 1));
if [ "${ans}" != "got: 000080010000000000000000" ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "two questions"
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions > twoquestions.out
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions >twoquestions.out
ans=$(grep got: twoquestions.out)
if [ "${ans}" != "got: 000080010000000000000000" ];
then
echo_i "failed"; status=$((status + 1));
if [ "${ans}" != "got: 000080010000000000000000" ]; then
echo_i "failed"
status=$((status + 1))
fi
# this would be NOERROR if it included a COOKIE option,
# but is a FORMERR without one.
echo_i "empty question section (and no COOKIE option)"
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions > noquestions.out
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions >noquestions.out
ans=$(grep got: noquestions.out)
if [ "${ans}" != "got: 000080010000000000000000" ];
then
echo_i "failed"; status=$((status + 1));
if [ "${ans}" != "got: 000080010000000000000000" ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "exit status: $status"

6
bin/tests/system/forward/ns1/sign.sh
View file

@ -25,10 +25,10 @@ echo_i "ns1/sign.sh"
ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1
# Configure the resolving server with a static key.
keyfile_to_static_ds "$ksk" > trusted.conf
keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns3/trusted.conf

14
bin/tests/system/forward/prereq.sh
View file

@ -13,16 +13,14 @@
. ../conf.sh
if ! ${PYTHON} -c 'import dns'
then
echo_i "python dns module is required"
exit 1
if ! ${PYTHON} -c 'import dns'; then
echo_i "python dns module is required"
exit 1
fi
if ! ${PERL} -MNet::DNS -e ''
then
echo_i "perl Net::DNS module is required"
exit 1
if ! ${PERL} -MNet::DNS -e ''; then
echo_i "perl Net::DNS module is required"
exit 1
fi
exit 0

4
bin/tests/system/forward/setup.sh
View file

@ -25,6 +25,6 @@ copy_setports ns9/named1.conf.in ns9/named.conf
copy_setports ns10/named.conf.in ns10/named.conf
(
cd ns1
$SHELL sign.sh
cd ns1
$SHELL sign.sh
)

314
bin/tests/system/forward/tests.sh
View file

@ -17,15 +17,15 @@ set -e
. ../conf.sh
dig_with_opts() (
"$DIG" -p "$PORT" "$@"
"$DIG" -p "$PORT" "$@"
)
sendcmd() (
send "$1" "$EXTRAPORT1"
send "$1" "$EXTRAPORT1"
)
rndccmd() {
"$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@"
"$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@"
}
root=10.53.0.1
@ -36,156 +36,156 @@ f2=10.53.0.4
status=0
n=0
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward zone overrides global forwarders ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward first zone no forwarders recurses ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.root dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward only zone no forwarders fails ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.root dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that global forwarders work ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward zone works ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that forwarding doesn't spontaneously happen ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f2 > dig.out.$n.f2 || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.root dig.out.$n.f2 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward zone with no specified policy works ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1
dig_with_opts +noadd +noauth txt.example3. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example3. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward only doesn't recurse ($n)"
ret=0
dig_with_opts txt.example5. txt @$f2 > dig.out.$n.f2 || ret=1
grep "SERVFAIL" dig.out.$n.f2 > /dev/null || ret=1
dig_with_opts txt.example5. txt @$f2 >dig.out.$n.f2 || ret=1
grep "SERVFAIL" dig.out.$n.f2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking for negative caching of forwarder response ($n)"
# prime the cache, shutdown the forwarder then check that we can
# get the answer from the cache. restart forwarder.
ret=0
dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1
dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1
stop_server ns4 || ret=1
dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1
dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1
start_server --restart --noclean --port "${PORT}" ns4 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
check_override() (
dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 &&
grep "status: NOERROR" dig.out.$n.f2 > /dev/null &&
dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 &&
grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null
dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 >dig.out.$n.f2 \
&& grep "status: NOERROR" dig.out.$n.f2 >/dev/null \
&& dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 >dig.out.$n.f2 \
&& grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null
)
n=$((n+1))
n=$((n + 1))
echo_i "checking that forward only zone overrides empty zone ($n)"
ret=0
# retry loop in case the server restart above causes transient failure
retry_quiet 10 check_override || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that DS lookups for grafting forward zones are isolated ($n)"
ret=0
dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q1 || ret=1
dig_with_opts grafted DS @10.53.0.4 > dig.out.$n.q2 || ret=1
dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q3 || ret=1
dig_with_opts grafted AAAA @10.53.0.4 > dig.out.$n.q4 || ret=1
grep "status: NOERROR" dig.out.$n.q1 > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.q2 > /dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q3 > /dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q4 > /dev/null || ret=1
dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q1 || ret=1
dig_with_opts grafted DS @10.53.0.4 >dig.out.$n.q2 || ret=1
dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q3 || ret=1
dig_with_opts grafted AAAA @10.53.0.4 >dig.out.$n.q4 || ret=1
grep "status: NOERROR" dig.out.$n.q1 >/dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.q2 >/dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q3 >/dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q4 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that rfc1918 inherited 'forward first;' zones are warned about ($n)"
ret=0
$CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1
$CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that ULA inherited 'forward first;' zones are warned about ($n)"
ret=0
$CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1
$CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
count_sent() (
logfile="$1"
start_pattern="$2"
pattern="$3"
nextpartpeek "$logfile" | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern"
logfile="$1"
start_pattern="$2"
pattern="$3"
nextpartpeek "$logfile" | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern"
)
check_sent() (
expected="$1"
shift
count=$(count_sent "$@")
[ "$expected" = "$count" ]
expected="$1"
shift
count=$(count_sent "$@")
[ "$expected" = "$count" ]
)
wait_for_log() (
nextpartpeek "$1" | grep "$2" >/dev/null
nextpartpeek "$1" | grep "$2" >/dev/null
)
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forwarder timeout prevents it from being reused in the same fetch context ($n)"
ret=0
# Make ans6 receive queries without responding to them.
@ -195,19 +195,19 @@ echo "//" | sendcmd 10.53.0.6
# when a delegation is encountered after falling back to full recursive
# resolution.
nextpart ns3/named.run >/dev/null
dig_with_opts txt.example7. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts txt.example7. txt @$f1 >dig.out.$n.f1 || ret=1
# The forwarder for the "example7" zone should only be queried once.
start_pattern="sending packet to 10\.53\.0\.6"
retry_quiet 5 wait_for_log ns3/named.run "$start_pattern"
check_sent 1 ns3/named.run "$start_pattern" ";txt\.example7\.[[:space:]]*IN[[:space:]]*TXT$" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that priming queries are not forwarded ($n)"
ret=0
nextpart ns7/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.$n.f7 || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 >dig.out.$n.f7 || ret=1
received_pattern="received packet from 10\.53\.0\.1"
start_pattern="sending packet to 10\.53\.0\.1"
retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1
@ -217,30 +217,30 @@ sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run || tr
sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run || true)
[ "$sent" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking recovery from forwarding to a non-recursive server ($n)"
ret=0
dig_with_opts xxx.sld.tld txt @10.53.0.8 > dig.out.$n.f8 || ret=1
grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
dig_with_opts xxx.sld.tld txt @10.53.0.8 >dig.out.$n.f8 || ret=1
grep "status: NOERROR" dig.out.$n.f8 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that rebinding protection works in forward only mode ($n)"
ret=0
# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
# which in turn will return a CNAME for subdomain.rebind.
# to honor the option deny-answer-aliases { "rebind"; };
# ns5 should return a SERVFAIL to avoid potential rebinding attacks
dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. >dig.out.$n || ret=1
grep "status: SERVFAIL" dig.out.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
# Prepare ans6 for the chasing DS tests.
sendcmd 10.53.0.6 << EOF
sendcmd 10.53.0.6 <<EOF
/ns1.sld.tld/A/
300 A 10.53.0.2
/sld.tld/NS/
@ -248,88 +248,88 @@ sendcmd 10.53.0.6 << EOF
/sld.tld/
EOF
n=$((n+1))
n=$((n + 1))
echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)"
ret=0
copy_setports ns3/named2.conf.in ns3/named.conf
rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
nextpart ns3/named.run >/dev/null
dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
# See [GL #3129].
# Enable silent mode for ans11.
echo "1" | sendcmd 10.53.0.11
n=$((n+1))
n=$((n + 1))
echo_i "checking the handling of hung DS fetch while chasing DS ($n)"
ret=0
copy_setports ns3/named2.conf.in ns3/tmp
sed 's/root.db/root2.db/' ns3/tmp > ns3/named.conf
sed 's/root.db/root2.db/' ns3/tmp >ns3/named.conf
rm -f ns3/tmp
rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
rndccmd 10.53.0.3 flush 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
nextpart ns3/named.run >/dev/null
dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1
# Disable silent mode for ans11.
echo "0" | sendcmd 10.53.0.11
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
#
# Check various spoofed response scenarios. The same tests will be
# run twice, with "forward first" and "forward only" configurations.
#
run_spooftests () {
n=$((n+1))
echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
# check 'net' is not poisoned.
dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
# check 'sub.local.net' is not poisoned.
dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
run_spooftests() {
n=$((n + 1))
echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1
# check 'net' is not poisoned.
dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1
grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net >/dev/null || ret=1
# check 'sub.local.net' is not poisoned.
dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n+1))
echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
# check that net2/DNAME is not cached
dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1
# check that net2/DNAME is not cached
dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1
grep "ANSWER: 0," dig.out.$n.net2 >/dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.net2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n+1))
echo_i "checking spoofed response scenario 3 - extra answer ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
# check extra net3 records are not cached
rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
for try in 1 2 3 4 5; do
lines=$(grep "net3" ns9/named_dump.db | wc -l)
if [ ${lines} -eq 0 ]; then
sleep 1
continue
fi
[ ${lines} -eq 1 ] || ret=1
grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
grep -q '^local.net3' ns9/named_dump.db && ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking spoofed response scenario 3 - extra answer ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net3 >dig.out.$n.prime || ret=1
# check extra net3 records are not cached
rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
for try in 1 2 3 4 5; do
lines=$(grep "net3" ns9/named_dump.db | wc -l)
if [ ${lines} -eq 0 ]; then
sleep 1
continue
fi
[ ${lines} -eq 1 ] || ret=1
grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
grep -q '^local.net3' ns9/named_dump.db && ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
}
echo_i "checking spoofed response scenarios with forward first zones"
@ -353,31 +353,31 @@ rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
n=$((n+1))
n=$((n + 1))
echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1
# check 'net' is poisoned.
dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1
grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net >/dev/null || ret=1
# check 'sub.local.net' is poisoned.
dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1
# check that net2/DNAME is cached
dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1
grep "ANSWER: 1," dig.out.$n.net2 >/dev/null || ret=1
grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
#
# This test doesn't use any forwarder clauses but is here because it
@ -390,17 +390,17 @@ rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
n=$((n+1))
n=$((n + 1))
echo_i "checking sibling glue below zone ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
dig_with_opts @10.53.0.9 sibling.tld >dig.out.$n.prime || ret=1
# check for glue A record for sub.local.tld is not used
dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
dig_with_opts @10.53.0.9 sub.local.tld TXT >dig.out.$n.sub || ret=1
grep "ANSWER: 1," dig.out.$n.sub >/dev/null || ret=1
grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

5
bin/tests/system/genzone.sh
View file

@ -33,9 +33,8 @@ cat <<EOF
3600 )
EOF
for n
do
cat <<EOF
for n; do
cat <<EOF
@ NS ns${n}
ns${n} A 10.53.0.${n}
EOF

4
bin/tests/system/geoip2/prereq.sh
View file

@ -14,7 +14,7 @@
. ../conf.sh
$FEATURETEST --have-geoip2 || {
echo_i "This test requires GeoIP support." >&2
exit 255
echo_i "This test requires GeoIP support." >&2
exit 255
}
exit 0

4
bin/tests/system/geoip2/setup.sh
View file

@ -18,6 +18,6 @@ $SHELL clean.sh
copy_setports ns2/named1.conf.in ns2/named.conf
for i in 1 2 3 4 5 6 7 other bogus; do
cp ns2/example.db.in ns2/example${i}.db
echo "@ IN TXT \"$i\"" >> ns2/example$i.db
cp ns2/example.db.in ns2/example${i}.db
echo "@ IN TXT \"$i\"" >>ns2/example$i.db
done

215
bin/tests/system/geoip2/tests.sh
View file

@ -24,24 +24,22 @@ DIGOPTS="+tcp +short -p ${PORT} @10.53.0.2"
DIGOPTS6="+tcp +short -p ${PORT} @fd92:7065:b8e:ffff::2 -6"
RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
for conf in conf/good*.conf
do
n=$((n + 1))
echo_i "checking that $conf is accepted ($n)"
ret=0
$CHECKCONF "$conf" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
for conf in conf/good*.conf; do
n=$((n + 1))
echo_i "checking that $conf is accepted ($n)"
ret=0
$CHECKCONF "$conf" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
for conf in conf/bad*.conf
do
n=$((n + 1))
echo_i "checking that $conf is rejected ($n)"
ret=0
$CHECKCONF "$conf" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
for conf in conf/bad*.conf; do
n=$((n + 1))
echo_i "checking that $conf is rejected ($n)"
ret=0
$CHECKCONF "$conf" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
n=$((n + 1))
@ -49,23 +47,22 @@ echo_i "checking Country database by code using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking Country database by code using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
@ -88,26 +85,25 @@ echo_i "checking Country database with nested ACLs using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking Country database with nested ACLs using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -127,23 +123,22 @@ echo_i "checking Country database by name using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking Country database by name using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
@ -167,24 +162,23 @@ ret=0
lret=0
# deliberately skipping 4 and 6 as they have duplicate continents
for i in 1 2 3 5 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking Country database by continent code using IPv6 ($n)"
ret=0
lret=0
# deliberately skipping 4 and 6 as they have duplicate continents
for i in 1 2 3 5 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
@ -208,24 +202,23 @@ ret=0
lret=0
# skipping 2 on purpose here; it has the same region code as 1
for i in 1 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking City database by region code using IPv6 ($n)"
ret=0
lret=0
# skipping 2 on purpose here; it has the same region code as 1
# skipping 2 on purpose here; it has the same region code as 1
for i in 1 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
@ -249,23 +242,22 @@ echo_i "checking City database by city name using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking City database by city name using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
@ -288,26 +280,25 @@ echo_i "checking ISP database using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking ISP database using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -327,26 +318,25 @@ echo_i "checking ASN database by org name using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking ASN database by org name using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -366,26 +356,25 @@ echo_i "checking GeoIP6 ASN database, ASNNNN only, using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking ASN database, ASNNNN only, using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -405,26 +394,25 @@ echo_i "checking GeoIP6 ASN database, NNNN only, using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking ASN database, NNNN only, using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -444,26 +432,25 @@ echo_i "checking Domain database using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
if testsock6 fd92:7065:b8e:ffff::3
then
if testsock6 fd92:7065:b8e:ffff::3; then
n=$((n + 1))
echo_i "checking Domain database using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
@ -481,8 +468,8 @@ sleep 3
n=$((n + 1))
echo_i "checking geoip blackhole ACL ($n)"
ret=0
$DIG $DIGOPTS txt example -b 10.53.0.7 > dig.out.ns2.test$n || ret=1
$RNDCCMD 10.53.0.2 status 2>&1 > rndc.out.ns2.test$n || ret=1
$DIG $DIGOPTS txt example -b 10.53.0.7 >dig.out.ns2.test$n || ret=1
$RNDCCMD 10.53.0.2 status 2>&1 >rndc.out.ns2.test$n || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))

66
bin/tests/system/get_core_dumps.sh
View file

@ -20,51 +20,51 @@ status=0
export SYSTESTDIR="${TOP_BUILDDIR}/bin/tests/system/${systest}"
get_core_dumps() {
find "$SYSTESTDIR/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort
find "$SYSTESTDIR/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort
}
core_dumps=$(get_core_dumps | tr '\n' ' ')
if [ -n "$core_dumps" ]; then
status=1
echoinfo "I:$systest:Core dump(s) found: $core_dumps"
get_core_dumps | while read -r coredump; do
echoinfo "D:$systest:backtrace from $coredump:"
echoinfo "D:$systest:--------------------------------------------------------------------------------"
binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p")
if [ ! -f "${binary}" ]; then
binary=$(find "${TOP_BUILDDIR}" -path "*/.libs/${binary}" -type f)
fi
"${TOP_BUILDDIR}/libtool" --mode=execute gdb \
-batch \
-ex bt \
-core="$coredump" \
-- \
"$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d
echoinfo "D:$systest:--------------------------------------------------------------------------------"
coredump_backtrace="${coredump}-backtrace.txt"
echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace"
"${TOP_BUILDDIR}/libtool" --mode=execute gdb \
-batch \
-command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \
-core="$coredump" \
-- \
"$binary" > "$coredump_backtrace" 2>&1
echoinfo "D:$systest:core dump $coredump archived as $coredump.gz"
gzip -1 "${coredump}"
done
status=1
echoinfo "I:$systest:Core dump(s) found: $core_dumps"
get_core_dumps | while read -r coredump; do
echoinfo "D:$systest:backtrace from $coredump:"
echoinfo "D:$systest:--------------------------------------------------------------------------------"
binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p")
if [ ! -f "${binary}" ]; then
binary=$(find "${TOP_BUILDDIR}" -path "*/.libs/${binary}" -type f)
fi
"${TOP_BUILDDIR}/libtool" --mode=execute gdb \
-batch \
-ex bt \
-core="$coredump" \
-- \
"$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d
echoinfo "D:$systest:--------------------------------------------------------------------------------"
coredump_backtrace="${coredump}-backtrace.txt"
echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace"
"${TOP_BUILDDIR}/libtool" --mode=execute gdb \
-batch \
-command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \
-core="$coredump" \
-- \
"$binary" >"$coredump_backtrace" 2>&1
echoinfo "D:$systest:core dump $coredump archived as $coredump.gz"
gzip -1 "${coredump}"
done
fi
assertion_failures=$(find "$SYSTESTDIR/" -name named.run -exec grep "assertion failure" {} + | wc -l)
if [ "$assertion_failures" -ne 0 ]; then
status=1
echoinfo "I:$systest:$assertion_failures assertion failure(s) found"
status=1
echoinfo "I:$systest:$assertion_failures assertion failure(s) found"
fi
tsan_failures=$(find "$SYSTESTDIR/" -name 'tsan.*' | wc -l)
if [ "$tsan_failures" -ne 0 ]; then
status=1
echoinfo "I:$systest:$tsan_failures TSAN sanitizer report(s) found"
find "$SYSTESTDIR/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d
status=1
echoinfo "I:$systest:$tsan_failures TSAN sanitizer report(s) found"
find "$SYSTESTDIR/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d
fi
exit $status

Some files were not shown because too many files have changed in this diff Show more