upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-16 01:18:53 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Reformat shell scripts with shfmt

Browse source 
All changes in this commit were automated using the command:

  shfmt -w -i 2 -ci -bn bin/tests/system/ util/ $(find bin/tests/system/ -name "*.sh.in")

By default, only *.sh and files without extension are checked, so
*.sh.in files have to be added additionally. (See mvdan/sh#944)

(manually replayed commit 4cb8b13987)
This commit is contained in:
Tom Krizek 2023-10-26 13:24:51 +02:00
parent 0cbe4011bf
commit ce014dbf4e
No known key found for this signature in database
GPG key ID: 01623B9B652A20A7
291 changed files with 24973 additions and 24292 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

211
bin/tests/system/acl/tests.sh
View file

@ -22,38 +22,52 @@ t=0
echo_i "testing basic ACL processing"
# key "one" should fail
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# any other key should be fine
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
copy_setports ns2/named2.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
sleep 5
# prefix 10/8 should fail
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# any other address should work, as long as it sends key "one"
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
echo_i "testing nested ACL processing"
# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed
@ -62,45 +76,66 @@ rndc_reload ns2 10.53.0.2
sleep 5
# should succeed
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# but only one or the other should fail
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $tt failed"
status=1
}
# and other values? right out
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
copy_setports ns2/named4.conf.in ns2/named.conf
@ -108,63 +143,81 @@ rndc_reload ns2 10.53.0.2
sleep 5
# should succeed
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should succeed
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 && {
echo_i "test $t failed"
status=1
}
# should fail
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# should fail
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
# should fail
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 >dig.out.${t}
grep "^;" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
echo_i "testing allow-query-on ACL processing"
copy_setports ns2/named5.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
sleep 5
t=`expr $t + 1`
t=$(expr $t + 1)
$DIG -p ${PORT} +tcp soa example. \
@10.53.0.2 -b 10.53.0.3 > dig.out.${t}
grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
@10.53.0.2 -b 10.53.0.3 >dig.out.${t}
grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || {
echo_i "test $t failed"
status=1
}
echo_i "testing blackhole ACL processing"
t=`expr $t + 1`
t=$(expr $t + 1)
ret=0
$DIG -p ${PORT} +tcp soa example. \
@10.53.0.2 -b 10.53.0.3 > dig.out.1.${t}
grep "status: NOERROR" dig.out.1.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.3 >dig.out.1.${t}
grep "status: NOERROR" dig.out.1.${t} >/dev/null 2>&1 || ret=1
$DIG -p ${PORT} +tcp soa example. \
@10.53.0.2 -b 10.53.0.8 > dig.out.2.${t}
grep "status: NOERROR" dig.out.2.${t} > /dev/null 2>&1 && ret=1
grep "communications error" dig.out.2.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.8 >dig.out.2.${t}
grep "status: NOERROR" dig.out.2.${t} >/dev/null 2>&1 && ret=1
grep "communications error" dig.out.2.${t} >/dev/null 2>&1 || ret=1
$DIG -p ${PORT} soa example. \
@10.53.0.2 -b 10.53.0.3 > dig.out.3.${t}
grep "status: NOERROR" dig.out.3.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.3 >dig.out.3.${t}
grep "status: NOERROR" dig.out.3.${t} >/dev/null 2>&1 || ret=1
$DIG -p ${PORT} soa example. \
@10.53.0.2 -b 10.53.0.8 > dig.out.4.${t}
grep "status: NOERROR" dig.out.4.${t} > /dev/null 2>&1 && ret=1
grep "connection timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1
@10.53.0.2 -b 10.53.0.8 >dig.out.4.${t}
grep "status: NOERROR" dig.out.4.${t} >/dev/null 2>&1 && ret=1
grep "connection timed out" dig.out.4.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
# AXFR tests against ns3
@ -174,26 +227,26 @@ echo_i "calling addzone example.com on ns3"
$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; '
sleep 1
t=`expr $t + 1`
t=$(expr $t + 1)
ret=0
echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "calling rndc reconfig"
rndc_reconfig ns3 10.53.0.3
sleep 1
t=`expr $t + 1`
t=$(expr $t + 1)
ret=0
echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
# AXFR tests against ns4
@ -203,26 +256,26 @@ echo_i "calling addzone example.com on ns4"
$RNDCCMD 10.53.0.4 addzone 'example.com {type primary; file "example.db"; }; '
sleep 1
t=`expr $t + 1`
t=$(expr $t + 1)
ret=0
echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "calling rndc reconfig"
rndc_reconfig ns4 10.53.0.4
sleep 1
t=`expr $t + 1`
t=$(expr $t + 1)
ret=0
echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1
$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1
grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

506
bin/tests/system/additional/tests.sh
View file

@ -21,229 +21,245 @@ status=0
n=0
dotests() {
n=`expr $n + 1`
echo_i "test with RT, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with RT, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with RT, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with RT, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with NAPTR, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with NAPTR, single zone (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with NAPTR, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with NAPTR, two zones (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
case $minimal in
n=$(expr $n + 1)
echo_i "test with LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
case $minimal in
no)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null || ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
yes)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
;;
no-auth)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
no-auth-recursive)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
esac
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with NID (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with NID (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with NID + LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with NID + LP (+rec) ($n)"
ret=0
$DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with RT, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with RT, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with RT, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with RT, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with NAPTR, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with NAPTR, single zone (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with NAPTR, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with NAPTR, two zones (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
case $minimal in
n=$(expr $n + 1)
echo_i "test with LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
case $minimal in
no)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null || ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
yes)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
;;
no-auth)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
no-auth-recursive)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
grep -w "NS" dig.out.$n >/dev/null || ret=1
grep -w "L64" dig.out.$n >/dev/null || ret=1
grep -w "L32" dig.out.$n >/dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
esac
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with NID (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with NID (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with NID + LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with NID + LP (+norec) ($n)"
ret=0
$DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1
if [ $minimal = no ]; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
else
grep -w "LP" dig.out.$n >/dev/null && ret=1
grep -w "L64" dig.out.$n >/dev/null && ret=1
grep -w "L32" dig.out.$n >/dev/null && ret=1
fi
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with NS, root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS . @10.53.0.1 > dig.out.$n || ret=1
# Always expect glue for root priming queries, regardless $minimal
grep 'ADDITIONAL: 3' dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
n=$(expr $n + 1)
echo_i "test with NS, root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS . @10.53.0.1 >dig.out.$n || ret=1
# Always expect glue for root priming queries, regardless $minimal
grep 'ADDITIONAL: 3' dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
echo_i "test with NS, non-root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1
case $minimal in
n=$(expr $n + 1)
echo_i "test with NS, non-root zone ($n)"
ret=0
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1
case $minimal in
yes)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
no)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
no-auth)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
no-auth-recursive)
grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
esac
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
}
echo_i "testing with 'minimal-responses yes;'"
@ -258,44 +274,48 @@ echo_i "testing with 'minimal-responses no;'"
minimal=no
dotests
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing with 'minimal-any no;' ($n)"
ret=0
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "reconfiguring server: minimal-any yes"
copy_setports ns1/named3.conf.in ns1/named.conf
rndc_reconfig ns1 10.53.0.1
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing with 'minimal-any yes;' over UDP ($n)"
ret=0
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing with 'minimal-any yes;' over TCP ($n)"
ret=0
$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing with 'minimal-any yes;' over UDP ($n)"
ret=0
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "testing with 'minimal-responses no-auth;'"
@ -310,68 +330,74 @@ echo_i "testing with 'minimal-responses no-auth-recursive;'"
minimal=no-auth-recursive
dotests
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing returning TLSA records with MX query ($n)"
ret=0
$DIG $DIGOPTS -t mx mx.example @10.53.0.1 > dig.out.$n || ret=1
grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n > /dev/null || ret=1
grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1
grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t mx mx.example @10.53.0.1 >dig.out.$n || ret=1
grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n >/dev/null || ret=1
grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1
grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing returning TLSA records with SRV query ($n)"
ret=0
$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 > dig.out.$n || ret=1
grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n > /dev/null || ret=1
grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1
grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 >dig.out.$n || ret=1
grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n >/dev/null || ret=1
grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1
grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "reconfiguring server: minimal-responses no"
copy_setports ns1/named2.conf.in ns1/named.conf
rndc_reconfig ns1 10.53.0.1
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing NS handling in ANY responses (authoritative) ($n)"
ret=0
$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing NS handling in ANY responses (recursive) ($n)"
ret=0
$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 > dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 >dig.out.$n || ret=1
grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1
grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing out-of-zone additional data from auth zones (authoritative) ($n)"
ret=0
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1
grep "ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1
grep "ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing out-of-zone additional data from auth zones (recursive) ($n)"
ret=0
$DIG $DIGOPTS -t NS ex @10.53.0.3 > dig.out.$n || ret=1
grep "ADDITIONAL: 3" dig.out.$n > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
$DIG $DIGOPTS -t NS ex @10.53.0.3 >dig.out.$n || ret=1
grep "ADDITIONAL: 3" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ]; then
echo_i "failed"
status=$((status + 1))
fi
echo_i "exit status: $status"

739
bin/tests/system/addzone/tests.sh
View file

File diff suppressed because it is too large Load diff

6
bin/tests/system/allow-query/setup.sh
View file

@ -15,6 +15,6 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
copy_setports ../common/controls.conf.in ns2/controls.conf
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named01.conf.in ns2/named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named01.conf.in ns2/named.conf
copy_setports ns3/named1.conf.in ns3/named.conf

527
bin/tests/system/allow-query/tests.sh
View file

@ -60,629 +60,628 @@ DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnss
status=0
n=0
nextpart ns2/named.run > /dev/null
nextpart ns2/named.run >/dev/null
# Test 1 - default, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: default - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 2 - explicit any, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named02.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: explicit any - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 3 - none, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named03.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: none - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 4 - address allowed, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named04.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: address allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 5 - address not allowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named05.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: address not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 6 - address disallowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named06.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: address disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 7 - acl allowed, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named07.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: acl allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 8 - acl not allowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named08.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: acl not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 9 - acl disallowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named09.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: acl disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 10 - key allowed, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named10.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: key allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 11 - key not allowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named11.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: key not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 12 - key disallowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named12.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: key disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# The next set of tests check if allow-query works in a view
n=20
# Test 21 - views default, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named21.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views default - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 22 - views explicit any, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named22.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views explicit any - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 23 - views none, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named23.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views none - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 24 - views address allowed, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named24.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views address allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 25 - views address not allowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named25.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views address not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 26 - views address disallowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named26.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views address disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 27 - views acl allowed, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named27.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views acl allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 28 - views acl not allowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named28.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views acl not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 29 - views acl disallowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named29.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views acl disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 30 - views key allowed, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named30.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views key allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 31 - views key not allowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named31.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views key not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 32 - views key disallowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named32.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views key disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 33 - views over options, views allow, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named33.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views allow - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 34 - views over options, views disallow, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named34.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views disallow - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Tests for allow-query in the zone statements
n=40
# Test 41 - zone default, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named40.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: zone default - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 42 - zone explicit any, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone explicit any - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.any.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 43 - zone none, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone none - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.none.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 44 - zone address allowed, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone address allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.addrallow.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 45 - zone address not allowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone address not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.addrnotallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 46 - zone address disallowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone address disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.addrdisallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 47 - zone acl allowed, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone acl allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.aclallow.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 48 - zone acl not allowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone acl not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 49 - zone acl disallowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone acl disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.acldisallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 50 - zone key allowed, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone key allowed - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 51 - zone key not allowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone key not allowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 52 - zone key disallowed, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: zone key disallowed - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 53 - zones over options, zones allow, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named53.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views allow - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 54 - zones over options, zones disallow, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named54.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: views over options, views disallow - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 55 - zones over views, zones allow, query allowed
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named55.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: zones over views, views allow - query allowed"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 56 - zones over views, zones disallow, query refused
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named56.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: zones over views, views disallow - query refused"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 57 - zones over views, zones disallow, query refused (allow-query-on)
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns2/named57.conf.in ns2/named.conf
rndc_reload ns2 10.53.0.2
echo_i "test $n: zones over views, allow-query-on"
ret=0
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.1.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.1.$n >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.2.$n >/dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.2.$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 58 - allow-recursion default
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: default allow-recursion configuration"
ret=0
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a >dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a >dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 59 - allow-query-cache default
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test $n: default allow-query-cache configuration"
ret=0
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . >dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . >dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 60 - block recursion-on, allow query-cache-on
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns3/named2.conf.in ns3/named.conf
rndc_reload ns3 10.53.0.3
echo_i "test $n: block recursion-on, allow query-cache-on"
ret=0
# this should query the cache, and an answer should already be there
$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1
grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1
grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
# this should require recursion and therefore can't get an answer
$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 b.normal.example a >dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'ANSWER: 0' dig.out.ns3.2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns3/named3.conf.in ns3/named.conf
rndc_reload ns3 10.53.0.3
echo_i "test $n: inheritance of allow-query-cache-on"
ret=0
# this should query the cache, an answer should already be there
$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
# this should be refused due to allow-recursion-on/allow-query-cache-on
$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
# this should require recursion and should be allowed
$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 c.normal.example a >dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1
# this should require recursion and be refused
$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 d.normal.example a >dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on
n=`expr $n + 1`
n=$(expr $n + 1)
copy_setports ns3/named4.conf.in ns3/named.conf
rndc_reload ns3 10.53.0.3
echo_i "test $n: inheritance of allow-recursion-on"
ret=0
# this should query the cache, an answer should already be there
$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n
grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1
# this should be refused due to allow-recursion-on/allow-query-cache-on
$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1
# this should require recursion and should be allowed
$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.3.$n
grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1
# this should require recursion and be refused
$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

198
bin/tests/system/auth/tests.sh
View file

@ -19,173 +19,171 @@ DIGOPTS="+tcp -p ${PORT}"
status=0
n=0
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "wait for zones to finish transferring to ns2 ($n)"
for i in 1 2 3 4 5 6 7 8 9 10
do
for i in 1 2 3 4 5 6 7 8 9 10; do
ret=0
for zone in example.com example.net
do
$DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
for zone in example.com example.net; do
$DIG $DIGOPTS @10.53.0.2 soa $zone >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
done
[ $ret -eq 0 ] && break
sleep 1
done
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
#
# If recursion is unrequested or unavailable, then cross-zone CNAME records
# should not be followed. If both requested and available, they should be.
#
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +norec @10.53.0.1 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +rec @10.53.0.1 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS +norec @10.53.0.2 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 www.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1
grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1
grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
#
# In-zone CNAME records should always be followed regardless of RD and RA.
#
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)"
ret=0
$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)"
ret=0
$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1
grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1
grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1
grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1
grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com >dig.out.test$n || ret=1
grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1
grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1
grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1
grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1
grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that CHAOS addresses are compared correctly ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n
lines=`wc -l < dig.out.test$n`
$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos >dig.out.test$n
lines=$(wc -l <dig.out.test$n)
[ ${lines:-0} -eq 2 ] || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

26
bin/tests/system/autosign/ns1/keygen.sh
View file

@ -18,9 +18,9 @@ zone=.
zonefile=root.db
infile=root.db.in
(cd ../ns2 && $SHELL keygen.sh )
(cd ../ns2 && $SHELL keygen.sh)
cat $infile ../ns2/dsset-example$TP ../ns2/dsset-bar$TP > $zonefile
cat $infile ../ns2/dsset-example$TP ../ns2/dsset-bar$TP >$zonefile
zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
@ -35,20 +35,20 @@ rm $zsknopriv.private
ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone)
kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone)
keyfile_to_static_ds $ksksby > trusted.conf
keyfile_to_static_ds $ksksby >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
keyfile_to_static_ds $kskrev > trusted.conf
keyfile_to_static_ds $kskrev >trusted.conf
cp trusted.conf ../ns5/trusted.conf
echo $zskact > ../active.key
echo $zskvanish > ../vanishing.key
echo $zskdel > ../del.key
echo $zskinact > ../inact.key
echo $zskunpub > ../unpub.key
echo $zsknopriv > ../nopriv.key
echo $zsksby > ../standby.key
echo $zskactnowpub1d > ../activate-now-publish-1day.key
$REVOKE -R $kskrev > ../rev.key
echo $zskact >../active.key
echo $zskvanish >../vanishing.key
echo $zskdel >../del.key
echo $zskinact >../inact.key
echo $zskunpub >../unpub.key
echo $zsknopriv >../nopriv.key
echo $zsksby >../standby.key
echo $zskactnowpub1d >../activate-now-publish-1day.key
$REVOKE -R $kskrev >../rev.key

36
bin/tests/system/autosign/ns2/keygen.sh
View file

@ -15,52 +15,50 @@ SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && $SHELL keygen.sh )
(cd ../ns3 && $SHELL keygen.sh)
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \
nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
cdnskey-delete
do
cp ../ns3/dsset-$subdomain.example$TP .
nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
cdnskey-delete; do
cp ../ns3/dsset-$subdomain.example$TP .
done
# Create keys and pass the DS to the parent.
zone=example
zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile dsset-*.example$TP > $zonefile
cat $infile dsset-*.example$TP >$zonefile
kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
$DSFROMKEY $kskname.key > dsset-${zone}$TP
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
$DSFROMKEY $kskname.key >dsset-${zone}$TP
# Create keys for a private secure zone.
zone=private.secure.example
zonefile="${zone}.db"
infile="${zonefile}.in"
ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
keyfile_to_static_ds $ksk > private.conf
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null
keyfile_to_static_ds $ksk >private.conf
cp private.conf ../ns4/private.conf
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >/dev/null
# Extract saved keys for the revoke-to-duplicate-key test
zone=bar
zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile > $zonefile
cat $infile >$zonefile
for i in Xbar.+013+59973.key Xbar.+013+59973.private \
Xbar.+013+60101.key Xbar.+013+60101.private
do
cp $i $(echo $i | sed s/X/K/)
Xbar.+013+60101.key Xbar.+013+60101.private; do
cp $i $(echo $i | sed s/X/K/)
done
$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
$DSFROMKEY Kbar.+013+60101.key > dsset-bar$TP
$KEYGEN -a ECDSAP256SHA256 -q $zone >/dev/null
$DSFROMKEY Kbar.+013+60101.key >dsset-bar$TP
# a zone with empty non-terminals.
zone=optout-with-ent
zonefile=optout-with-ent.db
infile=optout-with-ent.db.in
cat $infile > $zonefile
cat $infile >$zonefile
kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null

294
bin/tests/system/autosign/ns3/keygen.sh
View file

@ -16,43 +16,43 @@ SYSTEMTESTTOP=../..
SYSTESTDIR=autosign
dumpit () {
echo_d "${debug}: dumping ${1}"
cat "${1}" | cat_d
dumpit() {
echo_d "${debug}: dumping ${1}"
cat "${1}" | cat_d
}
setup () {
echo_i "setting up zone: $1"
debug="$1"
zone="$1"
zonefile="${zone}.db"
infile="${zonefile}.in"
n=$((${n:-0} + 1))
setup() {
echo_i "setting up zone: $1"
debug="$1"
zone="$1"
zonefile="${zone}.db"
infile="${zonefile}.in"
n=$((${n:-0} + 1))
}
setup secure.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# NSEC3/NSEC test zone
#
setup secure.nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# NSEC3/NSEC3 test zone
#
setup nsec3.nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# Jitter/NSEC3 test zone
@ -60,10 +60,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
setup jitter.nsec3.example
cp $infile $zonefile
count=1
while [ $count -le 1000 ]
do
echo "label${count} IN TXT label${count}" >> $zonefile
count=$((count + 1))
while [ $count -le 1000 ]; do
echo "label${count} IN TXT label${count}" >>$zonefile
count=$((count + 1))
done
# Don't create keys just yet, because the scenario we want to test
# is an unsigned zone that has a NSEC3PARAM record added with
@ -74,98 +73,100 @@ done
#
setup optout.nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# A nsec3 zone (non-optout).
#
setup nsec3.example
cat $infile dsset-*.${zone}$TP > $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
cat $infile dsset-*.${zone}$TP >$zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# An NSEC3 zone, with NSEC3 parameters set prior to signing
#
setup autonsec3.example
cat $infile > $zonefile
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
echo $ksk > ../autoksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../autozsk.key
$DSFROMKEY $ksk.key > dsset-${zone}$TP
cat $infile >$zonefile
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
echo $ksk >../autoksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
echo $zsk >../autozsk.key
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# OPTOUT/NSEC test zone
#
setup secure.optout.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# OPTOUT/NSEC3 test zone
#
setup nsec3.optout.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# OPTOUT/OPTOUT test zone
#
setup optout.optout.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# A optout nsec3 zone.
#
setup optout.example
cat $infile dsset-*.${zone}$TP > $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
cat $infile dsset-*.${zone}$TP >$zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# A RSASHA256 zone.
#
setup rsasha256.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA256 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# A RSASHA512 zone.
#
setup rsasha512.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA512 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# NSEC-only zone. A zone using NSEC-only DNSSEC algorithms.
# None of these algorithms are supported for signing in FIPS mode
# as they are MD5 and SHA1 based.
#
if (cd ..; SYSTEMTESTTOP=.. $SHELL ../testcrypto.sh -q RSASHA1)
then
setup nsec-only.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
if (
cd ..
SYSTEMTESTTOP=.. $SHELL ../testcrypto.sh -q RSASHA1
); then
setup nsec-only.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
else
echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
fi
#
@ -175,52 +176,51 @@ fi
setup oldsigs.example
cp $infile $zonefile
count=1
while [ $count -le 1000 ]
do
echo "label${count} IN TXT label${count}" >> $zonefile
count=$((count + 1))
while [ $count -le 1000 ]; do
echo "label${count} IN TXT label${count}" >>$zonefile
count=$((count + 1))
done
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile >s.out || dumpit s.out
mv $zonefile.signed $zonefile
#
# NSEC3->NSEC transition test zone.
#
setup nsec3-to-nsec.example
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out
#
# secure-to-insecure transition test zone; used to test removal of
# keys via nsupdate
#
setup secure-to-insecure.example
$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -q $zone >kg.out 2>&1 || dumpit kg.out
$SIGNER -S -o $zone -f $zonefile $infile >s.out || dumpit s.out
#
# another secure-to-insecure transition test zone; used to test
# removal of keys on schedule.
#
setup secure-to-insecure2.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
echo $ksk > ../del1.key
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../del2.key
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
echo $ksk >../del1.key
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
echo $zsk >../del2.key
$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
#
# Introducing a pre-published key test.
#
setup prepub.example
infile="secure-to-insecure2.example.db.in"
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out
#
# Key TTL tests.
@ -228,46 +228,46 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
# no default key TTL; DNSKEY should get SOA TTL
setup ttl1.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
cp $infile $zonefile
# default key TTL should be used
setup ttl2.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
cp $infile $zonefile
# mismatched key TTLs, should use shortest
setup ttl3.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out
cp $infile $zonefile
# existing DNSKEY RRset, should retain TTL
setup ttl4.example
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
cat ${infile} K${zone}.+*.key > $zonefile
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone >kg.out 2>&1 || dumpit kg.out
cat ${infile} K${zone}.+*.key >$zonefile
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone >kg.out 2>&1 || dumpit kg.out
#
# A zone with a DNSKEY RRset that is published before it's activated
#
setup delay.example
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
echo $ksk > ../delayksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
echo $zsk > ../delayzsk.key
ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
echo $ksk >../delayksk.key
zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
echo $zsk >../delayzsk.key
#
# A zone with signatures that are already expired, and the private KSK
# is missing.
#
setup noksk.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $ksk > ../noksk-ksk.key
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
echo $ksk >../noksk-ksk.key
rm -f ${ksk}.private
#
@ -275,11 +275,11 @@ rm -f ${ksk}.private
# is missing.
#
setup nozsk.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $ksk > ../nozsk-ksk.key
echo $zsk > ../nozsk-zsk.key
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
echo $ksk >../nozsk-ksk.key
echo $zsk >../nozsk-zsk.key
rm -f ${zsk}.private
#
@ -287,77 +287,77 @@ rm -f ${zsk}.private
# is inactive.
#
setup inaczsk.example
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $ksk > ../inaczsk-ksk.key
echo $zsk > ../inaczsk-zsk.key
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out
echo $ksk >../inaczsk-ksk.key
echo $zsk >../inaczsk-zsk.key
$SETTIME -I now $zsk >st.out 2>&1 || dumpit st.out
#
# A zone that is set to 'auto-dnssec maintain' during a reconfig
#
setup reconf.example
cp secure.example.db.in $zonefile
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
#
# A zone which generates CDS and CDNSEY RRsets automatically
#
setup sync.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
echo ns3/$ksk > ../sync.key
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
echo ns3/$ksk >../sync.key
#
# A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly
#
setup kskonly.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# A zone that has a published inactive key that is autosigned.
#
setup inacksk2.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# A zone that has a published inactive key that is autosigned.
#
setup inaczsk2.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# A zone that starts with a active KSK + ZSK and a inactive ZSK.
#
setup inacksk3.example
cp $infile $zonefile
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone >kg.out 2>&1 || dumpit kg.out
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# A zone that starts with a active KSK + ZSK and a inactive ZSK.
#
setup inaczsk3.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# A zone that starts with an active KSK + ZSK and an inactive ZSK, with the
@ -365,28 +365,28 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
#
setup delzsk.example
cp $infile $zonefile
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out
zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out
echo $zsk > ../delzsk.key
echo $zsk >../delzsk.key
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
#
setup dname-at-apex-nsec3.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# Check that dynamically added CDS (DELETE) is kept in the zone after signing.
#
setup cds-delete.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP
#
# Check that dynamically added CDNSKEY (DELETE) is kept in the zone after
@ -394,6 +394,6 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
#
setup cdnskey-delete.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key >dsset-${zone}$TP

1048
bin/tests/system/autosign/tests.sh
View file

File diff suppressed because it is too large Load diff

177
bin/tests/system/builtin/tests.sh
View file

@ -121,127 +121,166 @@ B.E.F.IP6.ARPA
EMPTY.AS112.ARPA
HOME.ARPA"
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
count=0
echo_i "Checking expected empty zones were configured ($n)"
for zone in ${emptyzones}
do
grep "automatic empty zone: $zone" ns1/named.run > /dev/null || {
echo_i "failed (empty zone $zone missing)"
ret=1
}
count=`expr $count + 1`
for zone in ${emptyzones}; do
grep "automatic empty zone: $zone" ns1/named.run >/dev/null || {
echo_i "failed (empty zone $zone missing)"
ret=1
}
count=$(expr $count + 1)
done
lines=`grep "automatic empty zone: " ns1/named.run | wc -l`
lines=$(grep "automatic empty zone: " ns1/named.run | wc -l)
test $count -eq $lines -a $count -eq 99 || {
ret=1; echo_i "failed (count mismatch)";
ret=1
echo_i "failed (count mismatch)"
}
if [ $ret != 0 ] ; then status=`expr $status + $ret`; fi
if [ $ret != 0 ]; then status=$(expr $status + $ret); fi
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "Checking that reconfiguring empty zones is silent ($n)"
$RNDCCMD 10.53.0.1 reconfig
ret=0
grep "automatic empty zone" ns1/named.run > /dev/null || ret=1
grep "received control channel command 'reconfig'" ns1/named.run > /dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1
grep "automatic empty zone" ns1/named.run >/dev/null || ret=1
grep "received control channel command 'reconfig'" ns1/named.run >/dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1
sleep 1
grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "Checking that reloading empty zones is silent ($n)"
rndc_reload ns1 10.53.0.1
ret=0
grep "automatic empty zone" ns1/named.run > /dev/null || ret=1
grep "received control channel command 'reload'" ns1/named.run > /dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1
grep "automatic empty zone" ns1/named.run >/dev/null || ret=1
grep "received control channel command 'reload'" ns1/named.run >/dev/null || ret=1
grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1
sleep 1
grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
HOST_NAME=`$FEATURETEST --gethostname`
HOST_NAME=$($FEATURETEST --gethostname)
BIND_VERSION_STRING=$($NAMED -V | head -1)
BIND_VERSION=$($NAMED -V | sed -ne 's/^BIND \([^ ]*\).*/\1/p')
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that default version works for rndc ($n)"
$RNDCCMD 10.53.0.1 status > rndc.status.ns1.$n 2>&1
grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$RNDCCMD 10.53.0.1 status >rndc.status.ns1.$n 2>&1
grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that custom version works for rndc ($n)"
$RNDCCMD 10.53.0.3 status > rndc.status.ns3.$n 2>&1
grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$RNDCCMD 10.53.0.3 status >rndc.status.ns3.$n 2>&1
grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that default version works for query ($n)"
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 >dig.out.ns1.$n
grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that custom version works for query ($n)"
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 > dig.out.ns3.$n
grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 >dig.out.ns3.$n
grep "^\"this is a test of version\"$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that default hostname works for query ($n)"
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 > dig.out.ns1.$n
grep "^\"$HOST_NAME\"$" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 >dig.out.ns1.$n
grep "^\"$HOST_NAME\"$" dig.out.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that custom hostname works for query ($n)"
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 > dig.out.ns3.$n
grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 >dig.out.ns3.$n
grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that default server-id is none for query ($n)"
$DIG $DIGOPTS id.server txt ch @10.53.0.1 > dig.out.ns1.$n
grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$DIG $DIGOPTS id.server txt ch @10.53.0.1 >dig.out.ns1.$n
grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that server-id hostname works for query ($n)"
$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 > dig.out.ns2.$n
grep "^\"$HOST_NAME\"$" dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 >dig.out.ns2.$n
grep "^\"$HOST_NAME\"$" dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that server-id hostname works for EDNS name server ID request ($n)"
$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 > dig.out.ns2.$n
grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 >dig.out.ns2.$n
grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that custom server-id works for query ($n)"
$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 > dig.out.ns3.$n
grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 >dig.out.ns3.$n
grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "Checking that custom server-id works for EDNS name server ID request ($n)"
$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 > dig.out.ns3.$n
grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 >dig.out.ns3.$n
grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$(expr $status + $ret)
fi
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

178
bin/tests/system/cacheclean/tests.sh
View file

@ -22,12 +22,12 @@ DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm \
+nostat @10.53.0.2 -p ${PORT}"
# fill the cache with nodes from flushtest.example zone
load_cache () {
# empty all existing cache data
$RNDC $RNDCOPTS flush
load_cache() {
# empty all existing cache data
$RNDC $RNDCOPTS flush
# load the positive cache entries
$DIG $DIGOPTS -f - << EOF > /dev/null 2>&1
# load the positive cache entries
$DIG $DIGOPTS -f - <<EOF >/dev/null 2>&1
txt top1.flushtest.example
txt second1.top1.flushtest.example
txt third1.second1.top1.flushtest.example
@ -46,42 +46,42 @@ txt third2.second2.top3.flushtest.example
txt second3.top3.flushtest.example
EOF
# load the negative cache entries
# nxrrset:
$DIG $DIGOPTS a third1.second1.top1.flushtest.example > /dev/null
# nxdomain:
$DIG $DIGOPTS txt top4.flushtest.example > /dev/null
# empty nonterminal:
$DIG $DIGOPTS txt second2.top3.flushtest.example > /dev/null
# load the negative cache entries
# nxrrset:
$DIG $DIGOPTS a third1.second1.top1.flushtest.example >/dev/null
# nxdomain:
$DIG $DIGOPTS txt top4.flushtest.example >/dev/null
# empty nonterminal:
$DIG $DIGOPTS txt second2.top3.flushtest.example >/dev/null
# sleep 2 seconds ensure the TTLs will be lower on cached data
sleep 2
# sleep 2 seconds ensure the TTLs will be lower on cached data
sleep 2
}
dump_cache () {
rndc_dumpdb ns2 -cache _default
dump_cache() {
rndc_dumpdb ns2 -cache _default
}
clear_cache () {
$RNDC $RNDCOPTS flush
clear_cache() {
$RNDC $RNDCOPTS flush
}
in_cache () {
ttl=`$DIG $DIGOPTS "$@" | awk '{print $2}'`
[ -z "$ttl" ] && {
ttl=`$DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}'`
[ "$ttl" -ge 3599 ] && return 1
return 0
}
[ "$ttl" -ge 3599 ] && return 1
return 0
in_cache() {
ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}')
[ -z "$ttl" ] && {
ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}')
[ "$ttl" -ge 3599 ] && return 1
return 0
}
[ "$ttl" -ge 3599 ] && return 1
return 0
}
# Extract records at and below name "$1" from the cache dump in file "$2".
filter_tree () {
tree="$1"
file="$2"
perl -n -e '
filter_tree() {
tree="$1"
file="$2"
perl -n -e '
next if /^;/;
if (/'"$tree"'/ || (/^\t/ && $print)) {
$print = 1;
@ -92,39 +92,45 @@ filter_tree () {
' "$file"
}
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check correctness of routine cache cleaning ($n)"
$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch > dig.out.ns2 || status=1
$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch >dig.out.ns2 || status=1
digcomp --lc dig.out.ns2 knowngood.dig.out || status=1
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "only one tcp socket was used ($n)"
tcpclients=`awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l`
tcpclients=$(awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l)
test $tcpclients -eq 1 || { status=1; echo_i "failed"; }
test $tcpclients -eq 1 || {
status=1
echo_i "failed"
}
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "reset and check that records are correctly cached initially ($n)"
ret=0
load_cache
dump_cache
nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l`
[ $nrecords -eq 18 ] || { ret=1; echo_i "found $nrecords records expected 18"; }
nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l)
[ $nrecords -eq 18 ] || {
ret=1
echo_i "found $nrecords records expected 18"
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check flushing of the full cache ($n)"
ret=0
clear_cache
dump_cache
nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | wc -l`
nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | wc -l)
[ $nrecords -eq 0 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check flushing of individual nodes (interior node) ($n)"
ret=0
clear_cache
@ -134,9 +140,9 @@ in_cache txt top1.flushtest.example || ret=1
$RNDC $RNDCOPTS flushname top1.flushtest.example
in_cache txt top1.flushtest.example && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check flushing of individual nodes (leaf node, under the interior node) ($n)"
ret=0
# leaf node, under the interior node (should still exist)
@ -144,9 +150,9 @@ in_cache txt third2.second1.top1.flushtest.example || ret=1
$RNDC $RNDCOPTS flushname third2.second1.top1.flushtest.example
in_cache txt third2.second1.top1.flushtest.example && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check flushing of individual nodes (another leaf node, with both positive and negative cache entries) ($n)"
ret=0
# another leaf node, with both positive and negative cache entries
@ -156,16 +162,16 @@ $RNDC $RNDCOPTS flushname third1.second1.top1.flushtest.example
in_cache a third1.second1.top1.flushtest.example && ret=1
in_cache txt third1.second1.top1.flushtest.example && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check flushing a nonexistent name ($n)"
ret=0
$RNDC $RNDCOPTS flushname fake.flushtest.example || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check flushing of namespaces ($n)"
ret=0
clear_cache
@ -190,79 +196,85 @@ in_cache txt second1.top2.flushtest.example && ret=1
in_cache txt second2.top2.flushtest.example && ret=1
in_cache txt second3.top2.flushtest.example && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check flushing a nonexistent namespace ($n)"
ret=0
$RNDC $RNDCOPTS flushtree fake.flushtest.example || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check the number of cached records remaining ($n)"
ret=0
dump_cache
nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l`
[ $nrecords -eq 17 ] || { ret=1; echo_i "found $nrecords records expected 17"; }
nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l)
[ $nrecords -eq 17 ] || {
ret=1
echo_i "found $nrecords records expected 17"
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check the check that flushname of a partial match works ($n)"
ret=0
in_cache txt second2.top1.flushtest.example || ret=1
$RNDC $RNDCOPTS flushtree example
in_cache txt second2.top1.flushtest.example && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check the number of cached records remaining ($n)"
ret=0
dump_cache
nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l`
[ $nrecords -eq 1 ] || { ret=1; echo_i "found $nrecords records expected 1"; }
nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l)
[ $nrecords -eq 1 ] || {
ret=1
echo_i "found $nrecords records expected 1"
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check flushtree clears adb correctly ($n)"
ret=0
load_cache
dump_cache
mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.a
sed -n '/plain success\/timeout/,/Unassociated entries/p' \
ns2/named_dump.db.test$n.a > sed.out.$n.a
grep 'plain success/timeout' sed.out.$n.a > /dev/null 2>&1 || ret=1
grep 'Unassociated entries' sed.out.$n.a > /dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.a > /dev/null 2>&1 || ret=1
ns2/named_dump.db.test$n.a >sed.out.$n.a
grep 'plain success/timeout' sed.out.$n.a >/dev/null 2>&1 || ret=1
grep 'Unassociated entries' sed.out.$n.a >/dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.a >/dev/null 2>&1 || ret=1
$RNDC $RNDCOPTS flushtree flushtest.example || ret=1
dump_cache
mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.b
sed -n '/plain success\/timeout/,/Unassociated entries/p' \
ns2/named_dump.db.test$n.b > sed.out.$n.b
grep 'plain success/timeout' sed.out.$n.b > /dev/null 2>&1 || ret=1
grep 'Unassociated entries' sed.out.$n.b > /dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.b > /dev/null 2>&1 && ret=1
ns2/named_dump.db.test$n.b >sed.out.$n.b
grep 'plain success/timeout' sed.out.$n.b >/dev/null 2>&1 || ret=1
grep 'Unassociated entries' sed.out.$n.b >/dev/null 2>&1 || ret=1
grep 'ns.flushtest.example' sed.out.$n.b >/dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check expire option returned from primary zone ($n)"
ret=0
$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test > dig.out.expire
grep EXPIRE: dig.out.expire > /dev/null || ret=1
$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test >dig.out.expire
grep EXPIRE: dig.out.expire >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check expire option returned from secondary zone ($n)"
ret=0
$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test > dig.out.expire
grep EXPIRE: dig.out.expire > /dev/null || ret=1
$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test >dig.out.expire
grep EXPIRE: dig.out.expire >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

100
bin/tests/system/case/tests.sh
View file

@ -17,134 +17,132 @@ SYSTEMTESTTOP=..
DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
wait_for_serial() (
$DIG $DIGOPTS "@$1" "$2" SOA > "$4"
serial=$(awk '$4 == "SOA" { print $7 }' "$4")
[ "$3" -eq "${serial:--1}" ]
$DIG $DIGOPTS "@$1" "$2" SOA >"$4"
serial=$(awk '$4 == "SOA" { print $7 }' "$4")
[ "$3" -eq "${serial:--1}" ]
)
status=0
n=0
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "waiting for zone transfer to complete ($n)"
ret=0
for i in 1 2 3 4 5 6 7 8 9
do
$DIG $DIGOPTS soa example. @10.53.0.2 > dig.ns2.test$n
grep SOA dig.ns2.test$n > /dev/null && break
sleep 1
for i in 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS soa example. @10.53.0.2 >dig.ns2.test$n
grep SOA dig.ns2.test$n >/dev/null && break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9
do
$DIG $DIGOPTS soa dynamic. @10.53.0.2 > dig.ns2.test$n
grep SOA dig.ns2.test$n > /dev/null && break
sleep 1
for i in 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS soa dynamic. @10.53.0.2 >dig.ns2.test$n
grep SOA dig.ns2.test$n >/dev/null && break
sleep 1
done
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing case preserving responses - no acl ($n)"
ret=0
$DIG $DIGOPTS mx example. @10.53.0.1 > dig.ns1.test$n
grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS mx example. @10.53.0.1 >dig.ns1.test$n
grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1
test $ret -eq 0 || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing no-case-compress acl '{ 10.53.0.2; }' ($n)"
ret=0
# check that we preserve zone case for non-matching query (10.53.0.1)
$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 > dig.ns1.test$n
grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 >dig.ns1.test$n
grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1
# check that we don't preserve zone case for match (10.53.0.2)
$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 > dig.ns2.test$n
grep "0.mail.example" dig.ns2.test$n > /dev/null || ret=1
grep "mail.example" dig.ns2.test$n > /dev/null || ret=1
$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 >dig.ns2.test$n
grep "0.mail.example" dig.ns2.test$n >/dev/null || ret=1
grep "mail.example" dig.ns2.test$n >/dev/null || ret=1
test $ret -eq 0 || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "testing load of dynamic zone with various \$ORIGIN values ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n
$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n
digcomp dig.ns1.test$n dynamic.good || ret=1
test $ret -eq 0 || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "transfer of dynamic zone with various \$ORIGIN values ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n
$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n
digcomp dig.ns2.test$n dynamic.good || ret=1
test $ret -eq 0 || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "change SOA owner case via update ($n)"
$NSUPDATE << EOF
$NSUPDATE <<EOF
server 10.53.0.1 ${PORT}
zone dynamic
update add dYNAMIc 0 SOA mname1. . 2000042408 20 20 1814400 3600
send
EOF
$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n
$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n
digcomp dig.ns1.test$n postupdate.good || ret=1
test $ret -eq 0 || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "wait for zone to transfer ($n)"
retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042408 dig.ns2.test$n || ret=1
test $ret -eq 0 || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check SOA owner case is transferred to secondary ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n
$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n
digcomp dig.ns2.test$n postupdate.good || ret=1
test $ret -eq 0 || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
#update delete Ns1.DyNaMIC. 300 IN A 10.53.0.1
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "change A record owner case via update ($n)"
$NSUPDATE << EOF
$NSUPDATE <<EOF
server 10.53.0.1 ${PORT}
zone dynamic
update add Ns1.DyNaMIC. 300 IN A 10.53.0.1
send
EOF
$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n
$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n
digcomp dig.ns1.test$n postns1.good || ret=1
test $ret -eq 0 || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0
echo_i "wait for zone to transfer ($n)"
retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042409 dig.ns2.test$n || ret=1
test $ret -eq 0 || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check A owner case is transferred to secondary ($n)"
ret=0
$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n
$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n
digcomp dig.ns2.test$n postns1.good || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

1327
bin/tests/system/catz/tests.sh
View file

File diff suppressed because it is too large Load diff

44
bin/tests/system/cds/setup.sh
View file

@ -40,20 +40,20 @@ id2=$id2
EOF
tac() {
$PERL -e 'print reverse <>'
$PERL -e 'print reverse <>'
}
convert() {
key=$1
n=$2
$DSFROMKEY -12 $key >DS.$n
grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1
grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2
sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
tac <DS.$n >DS.rev$n
key=$1
n=$2
$DSFROMKEY -12 $key >DS.$n
grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1
grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2
sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
tac <DS.$n >DS.rev$n
}
convert $key1 1
convert $key2 2
@ -85,9 +85,9 @@ cat UP.add2 UP.del1 | sed 3d >UP.swap
sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl
sign() {
cat >db.$1
$SIGNER >/dev/null \
-S -O full -o $Z -f sig.$1 db.$1
cat >db.$1
$SIGNER >/dev/null \
-S -O full -o $Z -f sig.$1 db.$1
}
sign null <<EOF
@ -116,18 +116,18 @@ cat db.null CDNSKEY.2 | sign cdnskey.2
cat db.null CDS.2 CDNSKEY.2 | sign cds.cdnskey.2
$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \
<sig.cds.1 >brk.rrsig.cds.zsk
<sig.cds.1 >brk.rrsig.cds.zsk
$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \
<sig.cds.1 >brk.rrsig.cds.ksk
<sig.cds.1 >brk.rrsig.cds.ksk
$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 |
sign cds-mangled
$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 \
| sign cds-mangled
bad=$($PERL -le "print ($id1 ^ 255);")
sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 |
sign bad-digests
sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 \
| sign bad-digests
sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 |
sign bad-algos
sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 \
| sign bad-algos
rm -f dsset-*

65
bin/tests/system/cds/tests.sh
View file

@ -17,50 +17,51 @@ SYSTEMTESTTOP=..
status=0
n=0
fail() {
echo_i "failed"
status=$((status + 1))
echo_i "failed"
status=$((status + 1))
}
runcmd() {
"$@" 1> out.$n 2> err.$n
echo $?
"$@" 1>out.$n 2>err.$n
echo $?
}
testcase() {
n=$((n + 1))
echo_i "$name ($n)"
expect=$1
shift
result=$(runcmd "$@")
check_stdout
check_stderr
if [ "$expect" -ne "$result" ]; then
echo_d "exit status does not match $expect"
fail
fi
unset name err out
n=$((n + 1))
echo_i "$name ($n)"
expect=$1
shift
result=$(runcmd "$@")
check_stdout
check_stderr
if [ "$expect" -ne "$result" ]; then
echo_d "exit status does not match $expect"
fail
fi
unset name err out
}
check_stderr() {
if [ -n "${err:=}" ]; then
grep -E "$err" err.$n >/dev/null && return 0
echo_d "stderr did not match '$err'"
else
[ -s err.$n ] || return 0
fi
cat err.$n | cat_d
fail
if [ -n "${err:=}" ]; then
grep -E "$err" err.$n >/dev/null && return 0
echo_d "stderr did not match '$err'"
else
[ -s err.$n ] || return 0
fi
cat err.$n | cat_d
fail
}
check_stdout() {
$DIFF out.$n "${out:-empty}" >/dev/null && return
echo_d "stdout did not match '$out'"
( echo "wanted"
cat "$out"
echo "got"
cat out.$n
) | cat_d
fail
$DIFF out.$n "${out:-empty}" >/dev/null && return
echo_d "stdout did not match '$out'"
(
echo "wanted"
cat "$out"
echo "got"
cat out.$n
) | cat_d
fail
}
Z=cds.test

10
bin/tests/system/chain/ns2/sign.sh
View file

@ -20,7 +20,7 @@ signedfile=example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-secure.example.
zonefile=wildcard-secure.db
@ -28,7 +28,7 @@ signedfile=wildcard-secure.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-nsec.example.
zonefile=wildcard.db
@ -36,7 +36,7 @@ signedfile=wildcard-nsec.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-nsec3.example.
zonefile=wildcard.db
@ -44,7 +44,7 @@ signedfile=wildcard-nsec3.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile >/dev/null
zone=wildcard-nsec3-optout.example.
zonefile=wildcard.db
@ -52,4 +52,4 @@ signedfile=wildcard-nsec3-optout.example.db.signed
ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile > /dev/null
$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile >/dev/null

51
bin/tests/system/chain/prereq.sh
View file

@ -14,37 +14,32 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if test -n "$PYTHON"
then
if $PYTHON -c "import dns" 2> /dev/null
then
:
else
echo_i "This test requires the dnspython module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
if test -n "$PYTHON"; then
if $PYTHON -c "import dns" 2>/dev/null; then
:
else
echo_i "This test requires the dnspython module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
exit 1
fi
if $PERL -e 'use Net::DNS;' 2>/dev/null
then
if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null
then
:
else
echo_i "Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2
exit 1
fi
else
echo_i "This test requires the perl Net::DNS library." >&2
if $PERL -e 'use Net::DNS;' 2>/dev/null; then
if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null; then
:
else
echo_i "Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2
exit 1
fi
if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null
then
:
fi
else
echo_i "This test requires the Net::DNS::Nameserver library." >&2
exit 1
echo_i "This test requires the perl Net::DNS library." >&2
exit 1
fi
if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null; then
:
else
echo_i "This test requires the Net::DNS::Nameserver library." >&2
exit 1
fi

396
bin/tests/system/chain/tests.sh
View file

@ -20,126 +20,126 @@ SEND="$PERL $SYSTEMTESTTOP/send.pl 10.53.0.4 ${EXTRAPORT1}"
status=0
n=0
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking short DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a > dig.out.ns2.short || ret=1
grep "status: NOERROR" dig.out.ns2.short > /dev/null || ret=1
$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a >dig.out.ns2.short || ret=1
grep "status: NOERROR" dig.out.ns2.short >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking short DNAME from recursive ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a > dig.out.ns4.short || ret=1
grep "status: NOERROR" dig.out.ns4.short > /dev/null || ret=1
$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a >dig.out.ns4.short || ret=1
grep "status: NOERROR" dig.out.ns4.short >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking long DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a > dig.out.ns2.long || ret=1
grep "status: NOERROR" dig.out.ns2.long > /dev/null || ret=1
$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a >dig.out.ns2.long || ret=1
grep "status: NOERROR" dig.out.ns2.long >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking long DNAME from recursive ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a > dig.out.ns4.long || ret=1
grep "status: NOERROR" dig.out.ns4.long > /dev/null || ret=1
$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a >dig.out.ns4.long || ret=1
grep "status: NOERROR" dig.out.ns4.long >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking (too) long DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a > dig.out.ns2.toolong || ret=1
grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a >dig.out.ns2.toolong || ret=1
grep "status: YXDOMAIN" dig.out.ns2.toolong >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking (too) long DNAME from recursive with cached DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a > dig.out.ns4.cachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1
grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a >dig.out.ns4.cachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong >/dev/null || ret=1
grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking (too) long DNAME from recursive without cached DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a > dig.out.ns4.uncachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1
grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1
$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a >dig.out.ns4.uncachedtoolong || ret=1
grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong >/dev/null || ret=1
grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
find_records() {
owner_name="$1"
rr_type="$2"
file="$3"
awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' < "$file"
owner_name="$1"
rr_type="$2"
file="$3"
awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' <"$file"
}
count_records() {
owner_name="$1"
rr_type="$2"
file="$3"
find_records "$owner_name" "$rr_type" "$file" | wc -l
owner_name="$1"
rr_type="$2"
file="$3"
find_records "$owner_name" "$rr_type" "$file" | wc -l
}
exactly_one_record_exists_for() {
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1
}
no_records_exist_for() {
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0
owner_name="$1"
rr_type="$2"
file="$3"
test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0
}
ensure_no_ds_in_bitmap() {
owner_name="$1"
rr_type="$2"
file="$3"
case "$rr_type" in
NSEC) start_index=6 ;;
NSEC3) start_index=10 ;;
*) exit 1 ;;
esac
find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }'
owner_name="$1"
rr_type="$2"
file="$3"
case "$rr_type" in
NSEC) start_index=6 ;;
NSEC3) start_index=10 ;;
*) exit 1 ;;
esac
find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }'
}
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking secure delegation prepared using CNAME chaining ($n)"
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# DS RRset.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains the expected NS and DS RRsets.
exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1
exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking secure delegation prepared using wildcard expansion + CNAME chaining ($n)"
ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset, an
# NSEC record proving nonexistence of QNAME, and a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains the expected NS and DS RRsets.
exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1
exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1
@ -149,14 +149,14 @@ exactly_one_record_exists_for "*.wildcard-secure.example." NSEC dig.out.2.$n ||
no_records_exist_for "cname.wildcard-secure.example." NSEC dig.out.2.$n || ret=1
no_records_exist_for "delegation.wildcard-secure.example." NSEC dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking insecure delegation prepared using CNAME chaining, NSEC ($n)"
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# single NSEC record proving nonexistence of a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
@ -170,15 +170,15 @@ exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2
# type bit map.
ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #1 ($n)"
ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, these two NSEC records are different.
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
@ -192,16 +192,16 @@ exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2
# type bit map.
ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #2 ($n)"
ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, the same NSEC record proves nonexistence of both the
# QNAME and the DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
@ -215,7 +215,7 @@ exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2
# type bit map.
ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Relevant NSEC3 hashes:
#
@ -237,12 +237,12 @@ status=`expr $status + $ret`
# $ nsec3hash - 1 0 z-nonexistent-name.wildcard-nsec3.example.
# SG2DEHEAOGCKP7FTNQAUVC3I3TIPJH0J (salt=-, hash=1, iterations=0)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 ($n)"
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# single NSEC3 record proving nonexistence of a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
@ -256,15 +256,15 @@ no_records_exist_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.example."
# the type bit map.
ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #1 ($n)"
ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, these two NSEC3 records are different.
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
@ -278,16 +278,16 @@ exactly_one_record_exists_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.e
# the type bit map.
ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #2 ($n)"
ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, the same NSEC3 record proves nonexistence of both the
# QNAME and the DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
@ -301,7 +301,7 @@ no_records_exist_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.example."
# the type bit map.
ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Relevant NSEC3 hashes:
#
@ -326,12 +326,12 @@ status=`expr $status + $ret`
# $ nsec3hash - 1 0 z-nonexistent-name.wildcard-nsec3-optout.example.
# V7OTS4791T9SU0HKVL93EVNAJ9JH2CH3 (salt=-, hash=1, iterations=0)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 with opt-out ($n)"
ret=0
# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
# single NSEC3 record proving nonexistence of a DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
@ -344,15 +344,15 @@ exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-o
# the type bit map.
ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #1 ($n)"
ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, these two NSEC3 records are different.
$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
@ -365,16 +365,16 @@ exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-o
# the type bit map.
ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #2 ($n)"
ret=0
# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
# cut. In this test case, the same NSEC3 record proves nonexistence of both the
# QNAME and the DS RRset at the zone cut.
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1
# Ensure that the AUTHORITY section contains an NS RRset without an associated
# DS RRset.
exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
@ -387,239 +387,239 @@ exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-o
# the type bit map.
ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking CNAME to DNAME from authoritative ($n)"
ret=0
$DIG $DIGOPTS cname.example @10.53.0.2 a > dig.out.ns2.cname
grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
$DIG $DIGOPTS cname.example @10.53.0.2 a >dig.out.ns2.cname
grep "status: NOERROR" dig.out.ns2.cname >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking CNAME to DNAME from recursive"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS cname.example @10.53.0.7 a > dig.out.ns4.cname
grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
$DIG $DIGOPTS cname.example @10.53.0.7 a >dig.out.ns4.cname
grep "status: NOERROR" dig.out.ns4.cname >/dev/null || ret=1
grep '^cname.example.' dig.out.ns4.cname >/dev/null || ret=1
grep '^cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1
grep '^a.cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1
grep '^a.target.example.' dig.out.ns4.cname >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking DNAME is returned with synthesized CNAME before DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A > dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A >dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1
grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking DNAME is returned with CNAME to synthesized CNAME before DNAME ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A > dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1
grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A >dig.out.test$n
grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n >/dev/null || ret=1
grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1
grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking CNAME loops are detected ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 17" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 loop.example >dig.out.test$n
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
grep "ANSWER: 17" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking CNAME to external delegated zones is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 a.example > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 a.example >dig.out.test$n
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking CNAME to internal delegated zones is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 b.example > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 b.example >dig.out.test$n
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking CNAME to signed external delegation is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 c.example > dig.out.$n
grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 c.example >dig.out.$n
grep "status: NOERROR" dig.out.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking CNAME to signed internal delegation is handled ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 d.example > dig.out.$n
grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.7 d.example >dig.out.$n
grep "status: NOERROR" dig.out.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking CNAME chains in various orders ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|1,1,2,2,3,4,s4,s3,s1" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|2,1,3,4,s3,s1,s2,s4" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.3.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.3.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 4 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.4.$n 2>&1
grep 'status: NOERROR' dig.out.4.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.4.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.4.$n 2>&1
grep 'status: NOERROR' dig.out.4.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.4.$n >/dev/null 2>&1 || ret=1
echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | $SEND
$RNDCCMD 10.53.0.7 null --- start test$n - step 5 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.5.$n 2>&1
grep 'status: NOERROR' dig.out.5.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.5.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.5.$n 2>&1
grep 'status: NOERROR' dig.out.5.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.5.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 6 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|4,3,3,3,s1,s1,1,3,4" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.6.$n 2>&1
grep 'status: NOERROR' dig.out.6.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.6.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.6.$n 2>&1
grep 'status: NOERROR' dig.out.6.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.6.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking that only the initial CNAME is cached ($n)"
ret=0
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | $SEND
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
sleep 1
$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil > dig.out.2.$n 2>&1
ttl=`awk '{print $2}' dig.out.2.$n`
$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil >dig.out.2.$n 2>&1
ttl=$(awk '{print $2}' dig.out.2.$n)
[ "$ttl" -eq 86400 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking DNAME chains in various orders ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.1.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.1.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.2.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "dname,dname|2,3,s1,s2,s3,s4,1" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.3.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1
grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 3' dig.out.3.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking external CNAME/DNAME chains in various orders ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
echo "xname,dname|1,2,3,4,s1,s2,s3,s4" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1
grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "xname,dname|s2,2,s1,1,4,s4,3" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
echo "xname,dname|s2,2,2,2" | $SEND
$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
grep 'status: SERVFAIL' dig.out.3.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1
grep 'status: SERVFAIL' dig.out.3.$n >/dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking explicit DNAME query ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 dname short-dname.example >dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking DNAME via ANY query ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 any short-dname.example >dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Regression test for CVE-2021-25215 (authoritative server).
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking DNAME resolution via itself (authoritative) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. >dig.out.2.$n 2>&1
grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Regression test for CVE-2021-25215 (recursive resolver).
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking DNAME resolution via itself (recursive) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. >dig.out.7.$n 2>&1
grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

842
bin/tests/system/checkconf/tests.sh
View file

File diff suppressed because it is too large Load diff

17
bin/tests/system/checkds/ns2/setup.sh
View file

@ -17,18 +17,17 @@
echo_i "ns2/setup.sh"
for subdomain in dspublished reference missing-dspublished bad-dspublished \
multiple-dspublished incomplete-dspublished bad2-dspublished \
dswithdrawn missing-dswithdrawn bad-dswithdrawn \
multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn
do
cp "../ns9/dsset-$subdomain.checkds$TP" .
multiple-dspublished incomplete-dspublished bad2-dspublished \
dswithdrawn missing-dswithdrawn bad-dswithdrawn \
multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn; do
cp "../ns9/dsset-$subdomain.checkds$TP" .
done
zone="checkds"
infile="checkds.db.infile"
zonefile="checkds.db"
CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone)
cat template.db.in "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1

8
bin/tests/system/checkds/ns5/setup.sh
View file

@ -20,7 +20,7 @@ zone="checkds"
infile="checkds.db.infile"
zonefile="checkds.db"
CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone)
cat template.db.in "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1

52
bin/tests/system/checkds/ns9/setup.sh
View file

@ -17,11 +17,11 @@
echo_i "ns9/setup.sh"
setup() {
zone="$1"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
echo "$zone" >> zones
zone="$1"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
echo "$zone" >>zones
}
# Short environment variable names for key states and times.
@ -34,30 +34,28 @@ Y="now-1y"
# DS Publication.
for zn in dspublished reference missing-dspublished bad-dspublished \
multiple-dspublished incomplete-dspublished bad2-dspublished
do
setup "${zn}.checkds"
cp template.db.in "$zonefile"
keytimes="-P $T -P sync $T -A $T"
CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
$SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
multiple-dspublished incomplete-dspublished bad2-dspublished; do
setup "${zn}.checkds"
cp template.db.in "$zonefile"
keytimes="-P $T -P sync $T -A $T"
CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone)
$SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" >settime.out.$zone 2>&1
cat template.db.in "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
done
# DS Withdrawal.
for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \
incomplete-dswithdrawn bad2-dswithdrawn
do
setup "${zn}.checkds"
cp template.db.in "$zonefile"
keytimes="-P $Y -P sync $Y -A $Y"
CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
$SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
incomplete-dswithdrawn bad2-dswithdrawn; do
setup "${zn}.checkds"
cp template.db.in "$zonefile"
keytimes="-P $Y -P sync $Y -A $Y"
CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone)
$SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" >settime.out.$zone 2>&1
cat template.db.in "${CSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
done

20
bin/tests/system/checkds/prereq.sh
View file

@ -14,18 +14,16 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if test -n "$PYTHON"
then
if [ "$($PYTHON -c "import dns.version; print(dns.version.MAJOR)" 2> /dev/null)" -ge 2 ]
then
:
else
echo_i "This test requires the dnspython >= 2.0.0 module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
if test -n "$PYTHON"; then
if [ "$($PYTHON -c "import dns.version; print(dns.version.MAJOR)" 2>/dev/null)" -ge 2 ]; then
:
else
echo_i "This test requires the dnspython >= 2.0.0 module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
exit 1
fi
exit 0

12
bin/tests/system/checkds/setup.sh
View file

@ -27,14 +27,14 @@ copy_setports ns9/named.conf.in ns9/named.conf
# Setup zones
(
cd ns9
$SHELL setup.sh
cd ns9
$SHELL setup.sh
)
(
cd ns5
$SHELL setup.sh
cd ns5
$SHELL setup.sh
)
(
cd ns2
$SHELL setup.sh
cd ns2
$SHELL setup.sh
)

19
bin/tests/system/checkdstool/dig.sh
View file

@ -12,13 +12,22 @@
# information regarding copyright ownership.
while [ "$#" != 0 ]; do
case $1 in
case $1 in
+*) shift ;;
-t) shift ;;
DS|ds) ext=ds ; shift ;;
DNSKEY|dnskey) ext=dnskey ; shift ;;
*) file=$1 ; shift ;;
esac
DS | ds)
ext=ds
shift
;;
DNSKEY | dnskey)
ext=dnskey
shift
;;
*)
file=$1
shift
;;
esac
done
cat ${file}.${ext}.db

108
bin/tests/system/checkdstool/tests.sh
View file

@ -15,12 +15,12 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ "$CYGWIN" ]; then
DIG=".\dig.bat"
WINDSFROMKEY=`cygpath -w $DSFROMKEY`
CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $WINDSFROMKEY"
DIG=".\dig.bat"
WINDSFROMKEY=$(cygpath -w $DSFROMKEY)
CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $WINDSFROMKEY"
else
DIG="./dig.sh"
CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $DSFROMKEY"
DIG="./dig.sh"
CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $DSFROMKEY"
fi
chmod +x $DIG
@ -29,88 +29,88 @@ n=1
echo_i "checking for correct DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS ok.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
$CHECKDS ok.example >checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n >/dev/null 2>&1 || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking for correct DS, obtaining key from file ($n)"
ret=0
$CHECKDS -f ok.example.dnskey.db ok.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
$CHECKDS -f ok.example.dnskey.db ok.example >checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n >/dev/null 2>&1 || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking for incorrect DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
$CHECKDS wrong.example >checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n >/dev/null 2>&1 || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking for incorrect DS, obtaining key from file ($n)"
ret=0
$CHECKDS -f wrong.example.dnskey.db wrong.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
$CHECKDS -f wrong.example.dnskey.db wrong.example >checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n >/dev/null 2>&1 || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking for partially missing DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
$CHECKDS missing.example >checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-256.*found' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-1.*missing' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-256.*missing' checkds.out.$n >/dev/null 2>&1 || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking for partially missing DS, obtaining key from file ($n)"
ret=0
$CHECKDS -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
$CHECKDS -f missing.example.dnskey.db missing.example >checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-256.*found' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-1.*missing' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-256.*missing' checkds.out.$n >/dev/null 2>&1 || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS none.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
$CHECKDS none.example >checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n >/dev/null 2>&1 && ret=1
grep 'SHA-256.*found' checkds.out.$n >/dev/null 2>&1 && ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking for entirely missing DS, obtaining key from file ($n)"
ret=0
$CHECKDS -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
$CHECKDS -f none.example.dnskey.db none.example >checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n >/dev/null 2>&1 && ret=1
grep 'SHA-256.*found' checkds.out.$n >/dev/null 2>&1 && ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking with prepared dsset file ($n)"
ret=0
$CHECKDS -f prep.example.db -s prep.example.ds.db prep.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
$CHECKDS -f prep.example.db -s prep.example.ds.db prep.example >checkds.out.$n 2>&1 || ret=1
grep 'SHA-1.*found' checkds.out.$n >/dev/null 2>&1 || ret=1
grep 'SHA-256.*found' checkds.out.$n >/dev/null 2>&1 || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
if [ $status = 0 ]; then $SHELL clean.sh; fi
echo_i "exit status: $status"

138
bin/tests/system/checknames/tests.sh
View file

@ -19,173 +19,173 @@ n=1
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}"
wait_for_record () {
$DIG $DIGOPTS "$1" "$2" "$3" > "$4" || return 1
grep NOERROR "$4" > /dev/null || return 1
return 0
wait_for_record() {
$DIG $DIGOPTS "$1" "$2" "$3" >"$4" || return 1
grep NOERROR "$4" >/dev/null || return 1
return 0
}
# Entry should exist.
echo_i "check for failure from on zone load for 'check-names fail;' ($n)"
ret=0
$DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1
grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
$DIG $DIGOPTS fail.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1
grep SERVFAIL dig.out.ns1.test$n >/dev/null || ret=1
grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
# Entry should exist.
echo_i "check for warnings from on zone load for 'check-names warn;' ($n)"
ret=0
grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
# Entry should not exist.
echo_i "check for warnings from on zone load for 'check-names ignore;' ($n)"
ret=1
grep 'yy_yy.ignore.example: bad owner name (check-names)' ns1/named.run || ret=0
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
# Entry should exist
echo_i "check that 'check-names response warn;' works ($n)"
ret=0
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1
digcomp dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1
grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
# Entry should exist
echo_i "check that 'check-names response (owner) fails;' works ($n)"
ret=0
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1
grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
grep REFUSED dig.out.ns3.test$n >/dev/null || ret=1
grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
# Entry should exist
echo_i "check that 'check-names response (rdata) fails;' works ($n)"
ret=0
$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX > dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1
grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1
$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX >dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX >dig.out.ns3.test$n || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
grep SERVFAIL dig.out.ns3.test$n >/dev/null || ret=1
grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
echo_i "check that updates to 'check-names fail;' are rejected ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || not=0
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || not=0
check-names off
server 10.53.0.1 ${PORT}
update add xxx_xxx.fail.update. 600 A 10.10.10.1
send
END
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1
grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1
grep NXDOMAIN dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
echo_i "check that updates to 'check-names warn;' succeed and are logged ($n)"
ret=0
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1|| ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.1 ${PORT}
update add xxx_xxx.warn.update. 600 A 10.10.10.1
send
END
$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1
grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
echo_i "check that updates to 'check-names ignore;' succeed and are not logged ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.1 ${PORT}
update add xxx_xxx.ignore.update. 600 A 10.10.10.1
send
END
grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0
grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run >/dev/null || not=0
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1
grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
echo_i "check that updates to 'check-names primary ignore;' succeed and are not logged ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.4 ${PORT}
update add xxx_xxx.primary-ignore.update. 600 A 10.10.10.1
send
END
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run > /dev/null || not=0
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run >/dev/null || not=0
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A > dig.out.ns4.test$n || ret=1
grep NOERROR dig.out.ns4.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A >dig.out.ns4.test$n || ret=1
grep NOERROR dig.out.ns4.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1
check-names off
server 10.53.0.5 ${PORT}
update add xxx_xxx.master-ignore.update. 600 A 10.10.10.1
send
END
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run > /dev/null || not=0
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run >/dev/null || not=0
if [ $not != 0 ]; then ret=1; fi
$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A > dig.out.ns5.test$n || ret=1
grep NOERROR dig.out.ns5.test$n > /dev/null || ret=1
$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A >dig.out.ns5.test$n || ret=1
grep NOERROR dig.out.ns5.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
status=$((status + ret))
n=$((n + 1))
echo_i "check that updates to 'check-names secondary ignore;' succeed and are not logged ($n)"
ret=0
# takes a while for the transfer to succeed as ns5 (primary) is started after ns4 (secondary)
# and the zone is still loading when we get to this point.
retry_quiet 35 wait_for_record xxx_xxx.master-ignore.update @10.53.0.4 A dig.out.ns4.test$n || ret=1
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run > /dev/null && ret=1
grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)"
ret=0
retry_quiet 35 wait_for_record xxx_xxx.primary-ignore.update @10.53.0.5 A dig.out.ns5.test$n || ret=1
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run > /dev/null && ret=1
grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
status=$((status + ret))
n=$((n + 1))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

4
bin/tests/system/checkzone/setup.sh
View file

@ -17,8 +17,8 @@ SYSTEMTESTTOP=..
ln -s $CHECKZONE named-compilezone
./named-compilezone -D -F raw -o good1.db.raw example \
zones/good1.db > /dev/null 2>&1
zones/good1.db >/dev/null 2>&1
./named-compilezone -D -F map -o good1.db.map example \
zones/good1.db > /dev/null 2>&1
zones/good1.db >/dev/null 2>&1
copy_setports zones/bad-tsig.db.in zones/bad-tsig.db

174
bin/tests/system/checkzone/tests.sh
View file

@ -17,129 +17,127 @@ SYSTEMTESTTOP=..
status=0
n=1
for db in zones/good*.db
do
echo_i "checking $db ($n)"
ret=0
case $db in
zones/good-gc-msdcs.db|zones/good-spf-exception.db)
$CHECKZONE -k fail -i local example $db > test.out.$n 2>&1 || ret=1
;;
zones/good-dns-sd-reverse.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || ret=1
;;
*)
$CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1
;;
esac
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
for db in zones/good*.db; do
echo_i "checking $db ($n)"
ret=0
case $db in
zones/good-gc-msdcs.db | zones/good-spf-exception.db)
$CHECKZONE -k fail -i local example $db >test.out.$n 2>&1 || ret=1
;;
zones/good-dns-sd-reverse.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || ret=1
;;
*)
$CHECKZONE -i local example $db >test.out.$n 2>&1 || ret=1
;;
esac
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
for db in zones/bad*.db
do
echo_i "checking $db ($n)"
ret=0 v=0
case $db in
zones/bad-dns-sd-reverse.db|zones/bad-svcb-servername.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || v=$?
;;
*)
$CHECKZONE -i local example $db > test.out.$n 2>&1 || v=$?
;;
esac
test $v = 1 || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
for db in zones/bad*.db; do
echo_i "checking $db ($n)"
ret=0 v=0
case $db in
zones/bad-dns-sd-reverse.db | zones/bad-svcb-servername.db)
$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || v=$?
;;
*)
$CHECKZONE -i local example $db >test.out.$n 2>&1 || v=$?
;;
esac
test $v = 1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
echo_i "checking with journal file ($n)"
ret=0
$CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -o test.orig.db test zones/test1.db >/dev/null 2>&1 || ret=1
$CHECKZONE -D -o test.changed.db test zones/test2.db >/dev/null 2>&1 || ret=1
$MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1
jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l)
[ $jlines = 3 ] || ret=1
$CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -j -o test.out1.db test test.orig.db >/dev/null 2>&1 || ret=1
cmp -s test.changed.db test.out1.db || ret=1
mv -f test.orig.db.jnl test.journal
$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1
$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db >/dev/null 2>&1 || ret=1
cmp -s test.changed.db test.out2.db || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking with spf warnings ($n)"
ret=0
$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1
$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1
grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1
grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1
grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1
grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1
grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1
grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1
n=$((n+1))
$CHECKZONE example zones/spf.db >test.out1.$n 2>&1 || ret=1
$CHECKZONE -T ignore example zones/spf.db >test.out2.$n 2>&1 || ret=1
grep "'x.example' found type SPF" test.out1.$n >/dev/null && ret=1
grep "'y.example' found type SPF" test.out1.$n >/dev/null || ret=1
grep "'example' found type SPF" test.out1.$n >/dev/null && ret=1
grep "'x.example' found type SPF" test.out2.$n >/dev/null && ret=1
grep "'y.example' found type SPF" test.out2.$n >/dev/null && ret=1
grep "'example' found type SPF" test.out2.$n >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking with max ttl (text) ($n)"
ret=0
$CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1
$CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1
n=$((n+1))
$CHECKZONE -l 300 example zones/good1.db >test.out1.$n 2>&1 && ret=1
$CHECKZONE -l 600 example zones/good1.db >test.out2.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking with max ttl (raw) ($n)"
ret=0
$CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1
$CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1
n=$((n+1))
$CHECKZONE -f raw -l 300 example good1.db.raw >test.out1.$n 2>&1 && ret=1
$CHECKZONE -f raw -l 600 example good1.db.raw >test.out2.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking with max ttl (map) ($n)"
ret=0
$CHECKZONE -f map -l 300 example good1.db.map > test.out1.$n 2>&1 && ret=1
$CHECKZONE -f map -l 600 example good1.db.map > test.out2.$n 2>&1 || ret=1
n=`expr $n + 1`
$CHECKZONE -f map -l 300 example good1.db.map >test.out1.$n 2>&1 && ret=1
$CHECKZONE -f map -l 600 example good1.db.map >test.out2.$n 2>&1 || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no new \$ORIGIN ($n)"
ret=0
$CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n > /dev/null && ret=1
n=$((n+1))
$CHECKZONE example zones/nowarn.inherited.owner.db >test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n >/dev/null && ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)"
ret=0
$CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n > /dev/null || ret=1
n=$((n+1))
$CHECKZONE example zones/warn.inherit.origin.db >test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)"
ret=0
$CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n > /dev/null || ret=1
n=$((n+1))
$CHECKZONE example zones/warn.inherited.owner.db >test.out1.$n 2>&1 || ret=1
grep "inherited.owner" test.out1.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that raw zone with bad class is handled ($n)"
ret=0
$CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1
$CHECKZONE -f raw example zones/bad-badclass.raw >test.out.$n 2>&1 && ret=1
grep "failed: bad class" test.out.$n >/dev/null || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that expirations that loop using serial arithmetic are handled ($n)"
ret=0
@ -166,35 +164,35 @@ test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)"
ret=0
$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1
$CHECKZONE example.com zones/ns-address-below-dname.db >test.out.$n 2>&1 && ret=1
grep "is below a DNAME" test.out.$n >/dev/null || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)"
ret=0
$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1
$CHECKZONE example.com zones/delegating-ns-address-below-dname.db >test.out.$n 2>&1 || ret=1
grep "is below a DNAME" test.out.$n >/dev/null || ret=1
n=$((n+1))
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
ret=0
echo_i "checking integer overflow is prevented in \$GENERATE ($n)"
$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1
$CHECKZONE -D example.com zones/generate-overflow.db >test.out.$n 2>&1 || ret=1
lines=$(grep -c CNAME test.out.$n)
echo $lines
[ "$lines" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

125
bin/tests/system/ckdnsrps.sh
View file

@ -18,7 +18,6 @@ set -e
# Note that dnsrps.conf and dnsrps-slave.conf are included in named.conf
# and differ from dnsrpz.conf which is used by dnsrpzd.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@ -30,57 +29,64 @@ MCONF=dnsrps.conf
SCONF=dnsrps-slave.conf
USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-slave.conf]"
while getopts "xADM:S:" c; do
case $c in
x) set -x; DEBUG=-x;;
A) AS_NS=yes;;
D) TEST_DNSRPS=yes;;
M) MCONF="$OPTARG";;
S) SCONF="$OPTARG";;
*) echo "$USAGE" 1>&2; exit 1;;
esac
case $c in
x)
set -x
DEBUG=-x
;;
A) AS_NS=yes ;;
D) TEST_DNSRPS=yes ;;
M) MCONF="$OPTARG" ;;
S) SCONF="$OPTARG" ;;
*)
echo "$USAGE" 1>&2
exit 1
;;
esac
done
shift `expr $OPTIND - 1 || true`
shift $(expr $OPTIND - 1 || true)
if [ "$#" -ne 0 ]; then
echo "$USAGE" 1>&2
exit 1
echo "$USAGE" 1>&2
exit 1
fi
# erase any existing conf files
cat /dev/null > $MCONF
cat /dev/null > $SCONF
cat /dev/null >$MCONF
cat /dev/null >$SCONF
add_conf () {
echo "$*" >>$MCONF
echo "$*" >>$SCONF
add_conf() {
echo "$*" >>$MCONF
echo "$*" >>$SCONF
}
if ! $FEATURETEST --enable-dnsrps; then
if [ -n "$TEST_DNSRPS" ]; then
add_conf "## DNSRPS disabled at compile time"
fi
add_conf "#skip"
exit 0
if [ -n "$TEST_DNSRPS" ]; then
add_conf "## DNSRPS disabled at compile time"
fi
add_conf "#skip"
exit 0
fi
if [ -z "$TEST_DNSRPS" ]; then
add_conf "## testing with native RPZ"
add_conf '#skip'
exit 0
add_conf "## testing with native RPZ"
add_conf '#skip'
exit 0
else
add_conf "## testing with DNSRPS"
add_conf "## testing with DNSRPS"
fi
if [ ! -x "$DNSRPS_CMD" ]; then
add_conf "## make $DNSRPS_CMD to test DNSRPS"
add_conf '#skip'
exit 0
add_conf "## make $DNSRPS_CMD to test DNSRPS"
add_conf '#skip'
exit 0
fi
if $DNSRPS_CMD -a >/dev/null; then :
if $DNSRPS_CMD -a >/dev/null; then
:
else
add_conf "## DNSRPS provider library is not available"
add_conf '#skip'
exit 0
add_conf "## DNSRPS provider library is not available"
add_conf '#skip'
exit 0
fi
CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf
@ -91,7 +97,7 @@ CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf
MASTER="$CMN"
if [ -n "$AS_NS" ]; then
MASTER="$MASTER
MASTER="$MASTER
qname-as-ns yes
ip-as-ns yes"
fi
@ -107,7 +113,6 @@ $CMN
dnsrpzd '' }; # do not start dnsrpzd
EOF
# DNSRPS is available.
# The test should fail if the license is bad.
add_conf "dnsrps-enable yes;"
@ -118,49 +123,49 @@ ALT_L=alt-dnsrpzd-license.conf
# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist
[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf
if [ -s $ALT_L ]; then
SRC_L=$ALT_L
USE_ALT=
SRC_L=$ALT_L
USE_ALT=
else
SRC_L=../rpz/dnsrpzd-license.conf
USE_ALT="## consider installing alt-dnsrpzd-license.conf"
SRC_L=../rpz/dnsrpzd-license.conf
USE_ALT="## consider installing alt-dnsrpzd-license.conf"
fi
cp $SRC_L $CUR_L
# parse $CUR_L for the license zone name, master IP addresses, and optional
# transfer-source IP addresses
eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\
-e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \
-e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \
-e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \
-e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \
-e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
-e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
$CUR_L`
eval $(sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' \
-e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \
-e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \
-e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \
-e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \
-e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
-e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \
$CUR_L)
if [ -z "$NAME" ]; then
add_conf "## no DNSRPS tests; no license domain name in $SRC_L"
add_conf '#fail'
exit 0
add_conf "## no DNSRPS tests; no license domain name in $SRC_L"
add_conf '#fail'
exit 0
fi
if [ -z "$IPV4" ]; then
IPV4=license1.fastrpz.com
TS4=
IPV4=license1.fastrpz.com
TS4=
fi
if [ -z "$IPV6" ]; then
IPV6=license1.fastrpz.com
TS6=
IPV6=license1.fastrpz.com
TS6=
fi
# This TSIG key is common and NOT a secret
KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1'
# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems
if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \
| grep -i "^$NAME.*TXT" >/dev/null`; then
exit 0
if $($DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \
| grep -i "^$NAME.*TXT" >/dev/null); then
exit 0
fi
if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \
| grep -i "^$NAME.*TXT" >/dev/null`; then
exit 0
if $($DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \
| grep -i "^$NAME.*TXT" >/dev/null); then
exit 0
fi
add_conf "## DNSRPS lacks a valid license via $SRC_L"

18
bin/tests/system/cleanall.sh
View file

@ -18,20 +18,18 @@
SYSTEMTESTTOP=.
. $SYSTEMTESTTOP/conf.sh
find . -type f \( \
-name '*~' -o -name 'core' -o -name '*.core' \
-o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \
-o -name named.run -o -name ans.run \
-o -name '*-valgrind-*.log' \) -print | xargs rm -f
-name '*~' -o -name 'core' -o -name '*.core' \
-o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \
-o -name named.run -o -name ans.run \
-o -name '*-valgrind-*.log' \) -print | xargs rm -f
status=0
rm -f $SYSTEMTESTTOP/random.data
for d in $SUBDIRS
do
test ! -f $d/clean.sh || ( cd $d && $SHELL clean.sh )
rm -f test.output.$d
test -d $d && find $d -type d -exec rmdir '{}' \; 2> /dev/null
for d in $SUBDIRS; do
test ! -f $d/clean.sh || (cd $d && $SHELL clean.sh)
rm -f test.output.$d
test -d $d && find $d -type d -exec rmdir '{}' \; 2>/dev/null
done

2
bin/tests/system/cleanpkcs11.sh
View file

@ -15,4 +15,4 @@
PK11DELBIN=$(echo "$PK11DEL" | awk '{ print $1 }')
[ -x "$PK11DELBIN" ] && $PK11DEL -w0 > /dev/null 2>&1
[ -x "$PK11DELBIN" ] && $PK11DEL -w0 >/dev/null 2>&1

15
bin/tests/system/conf.sh.in
View file

@ -33,12 +33,12 @@ export CHECKDS=$TOP/bin/python/dnssec-checkds
export CHECKZONE=$TOP/bin/check/named-checkzone
export COVERAGE=$TOP/bin/python/dnssec-coverage
export DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119
export DELV=$TOP/bin/delv/delv
export RESOLVE=$TOP/bin/tests/system/resolve
if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119
export DELV=$TOP/bin/delv/delv
export RESOLVE=$TOP/bin/tests/system/resolve
else
export DELV=:
export RESOLVE=:
export DELV=:
export RESOLVE=:
fi
export DIG=$TOP/bin/dig/dig
export DNSTAPREAD=$TOP/bin/tools/dnstap-read
@ -105,8 +105,8 @@ export PSSUSPEND=
#
export PERL=@PERL@
if ! test -x "$PERL"; then
echo "Perl interpreter is required for system tests."
exit 77
echo "Perl interpreter is required for system tests."
exit 77
fi
export PYTHON=@PYTHON@
@ -115,7 +115,6 @@ export PYTHON=@PYTHON@
#
export CRYPTO=@CRYPTO@
# Load common values shared between windows and unix/linux.
. $TOP/bin/tests/system/conf.sh.common

20
bin/tests/system/cookie/prereq.sh
View file

@ -16,18 +16,16 @@
set -e
if test -n "$PYTHON"
then
if $PYTHON -c "import dns" 2> /dev/null
then
:
else
echo_i "This test requires the dnspython module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
if test -n "$PYTHON"; then
if $PYTHON -c "import dns" 2>/dev/null; then
:
else
echo_i "This test requires the dnspython module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
exit 1
fi
exit 0

533
bin/tests/system/cookie/tests.sh
View file

@ -21,189 +21,187 @@ status=0
n=0
getcookie() {
awk '$2 == "COOKIE:" {
awk '$2 == "COOKIE:" {
print $3;
}' < $1 | tr -d '\r'
}' <$1 | tr -d '\r'
}
fullcookie() {
awk 'BEGIN { n = 0 }
awk 'BEGIN { n = 0 }
// { v[n++] = length(); }
END { print (v[1] == v[2]); }'
}
havetc() {
grep 'flags:.* tc[^;]*;' $1 > /dev/null
grep 'flags:.* tc[^;]*;' $1 >/dev/null
}
for bad in bad*.conf
do
n=`expr $n + 1`
echo_i "checking that named-checkconf detects error in $bad ($n)"
ret=0
$CHECKCONF $bad > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
for bad in bad*.conf; do
n=$(expr $n + 1)
echo_i "checking that named-checkconf detects error in $bad ($n)"
ret=0
$CHECKCONF $bad >/dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$(expr $status + $ret)
done
for good in good*.conf
do
n=`expr $n + 1`
echo_i "checking that named-checkconf detects accepts $good ($n)"
ret=0
$CHECKCONF $good > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
for good in good*.conf; do
n=$(expr $n + 1)
echo_i "checking that named-checkconf detects accepts $good ($n)"
ret=0
$CHECKCONF $good >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$(expr $status + $ret)
done
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)"
ret=0
$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n
grep COOKIE: dig.out.test$n > /dev/null && ret=1
grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 >dig.out.test$n
grep COOKIE: dig.out.test$n >/dev/null && ret=1
grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)"
ret=0
$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n
grep COOKIE: dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n
grep COOKIE: dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking COOKIE token is returned to empty COOKIE option ($n)"
ret=0
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n
grep COOKIE: dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n
grep COOKIE: dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking COOKIE is not returned when answer-cookie is false ($n)"
ret=0
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n
grep COOKIE: dig.out.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 >dig.out.test$n
grep COOKIE: dig.out.test$n >/dev/null && ret=1
grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking response size without COOKIE ($n)"
ret=0
$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n
$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore >dig.out.test$n
havetc dig.out.test$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking response size without valid COOKIE ($n)"
ret=0
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n
havetc dig.out.test$n || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking response size with COOKIE ($n)"
ret=0
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l
cookie=`getcookie dig.out.test$n.l`
$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n
$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 >dig.out.test$n.l
cookie=$(getcookie dig.out.test$n.l)
$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n
havetc dig.out.test$n && ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking response size with COOKIE recursive ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n
$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore >dig.out.test$n
havetc dig.out.test$n && ret=1
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking COOKIE is learnt for TCP retry ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n
linecount=`getcookie dig.out.test$n | wc -l`
$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 >dig.out.test$n
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 3 ]; then ret=1; fi
checkfull=`getcookie dig.out.test$n | fullcookie`
checkfull=$(getcookie dig.out.test$n | fullcookie)
if [ $checkfull != 1 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking for COOKIE value in adb ($n)"
ret=0
rndc_dumpdb ns1
grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking require-server-cookie default (no) ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n
grep BADCOOKIE dig.out.test$n > /dev/null && ret=1
linecount=`getcookie dig.out.test$n | wc -l`
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 >dig.out.test$n
grep BADCOOKIE dig.out.test$n >/dev/null && ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking require-server-cookie yes ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n
grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
linecount=`getcookie dig.out.test$n | wc -l`
$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 >dig.out.test$n
grep "flags: qr[^;]* aa[ ;]" dig.out.test$n >/dev/null && ret=1
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
grep BADCOOKIE dig.out.test$n >/dev/null || ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking require-server-cookie yes with rate-limit ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
linecount=`getcookie dig.out.test$n | wc -l`
$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 >dig.out.test$n
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
grep BADCOOKIE dig.out.test$n >/dev/null || ret=1
linecount=$(getcookie dig.out.test$n | wc -l)
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "send undersized cookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1
grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 >dig.out.test$n || ret=1
grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "send oversized for named cookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 >dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "send oversized for named cookie with server requiring a good cookie ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 >dig.out.test$n || ret=1
grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
#
# Test shared cookie-secret support.
@ -222,293 +220,292 @@ status=`expr $status + $ret`
# Force local address so that the client's address is the same to all servers.
#
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "get NS4 cookie for cross server checking ($n)"
ret=0
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
ns4cookie=`getcookie dig.out.test$n`
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 >dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
ns4cookie=$(getcookie dig.out.test$n)
test -n "$ns4cookie" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "get NS5 cookie for cross server checking ($n)"
ret=0
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
ns5cookie=`getcookie dig.out.test$n`
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 >dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
ns5cookie=$(getcookie dig.out.test$n)
test -n "$ns5cookie" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "get NS6 cookie for cross server checking ($n)"
ret=0
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
ns6cookie=`getcookie dig.out.test$n`
$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 >dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
ns6cookie=$(getcookie dig.out.test$n)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test NS4 cookie on NS5 (expect success) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test NS5 cookie on NS4 (expect success) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "test NS6 cookie on NS5 (expect success) ($n)"
ret=0
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that test server is correctly configured ($n)"
ret=0
pat="; COOKIE: ................................ (good)"
#UDP
$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp tld >dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
grep "$pat" dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld >dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3
grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld >dig.out.test$n.3
grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4
grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld >dig.out.test$n.4
grep "status: NOERROR" dig.out.test$n.4 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.4 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.4 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.4 >/dev/null || ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 >/dev/null || ret=1
#TCP
$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5
grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp tld >dig.out.test$n.5
grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1
grep "$pat" dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6
grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld >dig.out.test$n.6
grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1
grep "$pat" dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7
grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld >dig.out.test$n.7
grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8
grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1
grep "$pat" dig.out.test$n.8 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld >dig.out.test$n.8
grep "status: NOERROR" dig.out.test$n.8 >/dev/null || ret=1
grep "$pat" dig.out.test$n.8 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.8 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.8 >/dev/null && ret=1
grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that spoofed response is dropped when we have a server cookie ($n)"
ret=0
msg="missing expected cookie from"
pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# spoofed response contains 10.53.0.10
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2
$DIG $DIGOPTS @10.53.0.1 tcponly.tld >dig.out.test$n.2
wait_for_log 5 "$msg" ns1/named.run || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)"
ret=0
msg="missing expected cookie from"
pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# check the disabled server response
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2
$DIG $DIGOPTS @10.53.0.1 nocookie.tld >dig.out.test$n.2
wait_for_log 5 "$msg" ns1/named.run || ret=1
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)"
ret=0
pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# spoofed response contains 10.53.0.10
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
nextpart ns1/named.run > named.run.test$n
$DIG $DIGOPTS @10.53.0.1 withtsig.tld >dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
nextpart ns1/named.run >named.run.test$n
count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
test $count -eq 1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
if $PYTHON -c '
import dns.version, sys;
if dns.version.MAJOR > 1: sys.exit(0);
if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0);
sys.exit(1)'
then
n=`expr $n + 1`
sys.exit(1)'; then
n=$(expr $n + 1)
echo_i "check that TSIG test server is correctly configured ($n)"
ret=0
pat="; COOKIE: ................................ (good)"
key=hmac-sha256:foo:aaaaaaaaaaaa
#UDP
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. >dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
grep "$pat" dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig >dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3
grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig >dig.out.test$n.3
grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
#TCP
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5
grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. >dig.out.test$n.5
grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1
grep "$pat" dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6
grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig >dig.out.test$n.6
grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1
grep "$pat" dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7
grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig >dig.out.test$n.7
grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1
grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1
grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)"
ret=0
pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl'
# prime EDNS COOKIE state
$DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 tsig. >dig.out.test$n.1
grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
rndc_dumpdb ns1
grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
# check the disabled server response
nextpart ns1/named.run >/dev/null
$DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
nextpart ns1/named.run > named.run.test$n
$DIG $DIGOPTS @10.53.0.1 nocookie.tsig >dig.out.test$n.2
grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
nextpart ns1/named.run >named.run.test$n
count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
test $count -eq 2 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
fi
echo_i "exit status: $status"

40
bin/tests/system/coverage/setup.sh
View file

@ -21,40 +21,40 @@ ln -s $CHECKZONE named-compilezone
# Test 1: KSK goes inactive before successor is active
dir=01-ksk-inactive
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1
ksk2=$($KEYGEN -q -K $dir -S $ksk1)
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
$SETTIME -K $dir -I +7mo $ksk1 >/dev/null 2>&1
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
# Test 2: ZSK goes inactive before successor is active
dir=02-zsk-inactive
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1
zsk2=$($KEYGEN -q -K $dir -S $zsk1)
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
$SETTIME -K $dir -I +7mo $zsk1 >/dev/null 2>&1
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
# Test 3: KSK is unpublished before its successor is published
dir=03-ksk-unpublished
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1
ksk2=$($KEYGEN -q -K $dir -S $ksk1)
$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
$SETTIME -K $dir -D +6mo $ksk1 >/dev/null 2>&1
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
# Test 4: ZSK is unpublished before its successor is published
dir=04-zsk-unpublished
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1
zsk2=$($KEYGEN -q -K $dir -S $zsk1)
$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
$SETTIME -K $dir -D +6mo $zsk1 >/dev/null 2>&1
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
# Test 5: KSK deleted and successor published before KSK is deactivated
# and successor activated.
dir=05-ksk-unpub-active
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
$SETTIME -K $dir -I +9mo -D +8mo $ksk1 >/dev/null 2>&1
ksk2=$($KEYGEN -q -K $dir -S $ksk1)
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
@ -62,50 +62,50 @@ zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
# and successor activated.
dir=06-zsk-unpub-active
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
$SETTIME -K $dir -I +9mo -D +8mo $zsk1 >/dev/null 2>&1
zsk2=$($KEYGEN -q -K $dir -S $zsk1)
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
# Test 7: KSK rolled with insufficient delay after prepublication.
dir=07-ksk-ttl
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1
ksk2=$($KEYGEN -q -K $dir -S $ksk1)
# allow only 1 day between publication and activation
$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
$SETTIME -K $dir -P +269d $ksk2 >/dev/null 2>&1
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
# Test 8: ZSK rolled with insufficient delay after prepublication.
dir=08-zsk-ttl
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1
zsk2=$($KEYGEN -q -K $dir -S $zsk1)
# allow only 1 day between publication and activation
$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
$SETTIME -K $dir -P +269d $zsk2 >/dev/null 2>&1
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
# Test 9: KSK goes inactive before successor is active, but checking ZSKs
dir=09-check-zsk
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1
ksk2=$($KEYGEN -q -K $dir -S $ksk1)
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
$SETTIME -K $dir -I +7mo $ksk1 >/dev/null 2>&1
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
# Test 10: ZSK goes inactive before successor is active, but checking KSKs
dir=10-check-ksk
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1
zsk2=$($KEYGEN -q -K $dir -S $zsk1)
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
$SETTIME -K $dir -I +7mo $zsk1 >/dev/null 2>&1
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
# Test 11: ZSK goes inactive before successor is active, but after cutoff
dir=11-cutoff
zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1
$SETTIME -K $dir -I +18mo -D +2y $zsk1 >/dev/null 2>&1
zsk2=$($KEYGEN -q -K $dir -S $zsk1)
$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1
$SETTIME -K $dir -I +16mo $zsk1 >/dev/null 2>&1
ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
# Test 12: Too early KSK deletion

100
bin/tests/system/coverage/tests.sh
View file

@ -19,68 +19,68 @@ COVERAGE="$COVERAGE -c ./named-compilezone"
status=0
n=1
matchall () {
file=$1
echo "$2" | while read matchline; do
grep "$matchline" $file > /dev/null 2>&1 || {
echo "FAIL"
return
}
done
matchall() {
file=$1
echo "$2" | while read matchline; do
grep "$matchline" $file >/dev/null 2>&1 || {
echo "FAIL"
return
}
done
}
echo_i "checking for DNSSEC key coverage issues"
ret=0
for dir in [0-9][0-9]-*; do
ret=0
echo_i "$dir"
args= warn= error= ok= retcode= match= zones=
. $dir/expect
$COVERAGE $args -K $dir ${zones:-example.com} > coverage.$n 2>&1
ret=0
echo_i "$dir"
args= warn= error= ok= retcode= match= zones=
. $dir/expect
$COVERAGE $args -K $dir ${zones:-example.com} >coverage.$n 2>&1
# check that return code matches expectations
found=$?
if [ $found -ne $retcode ]; then
echo "retcode was $found expected $retcode"
ret=1
fi
# check that return code matches expectations
found=$?
if [ $found -ne $retcode ]; then
echo "retcode was $found expected $retcode"
ret=1
fi
# check for correct number of errors
found=`grep ERROR coverage.$n | wc -l`
if [ $found -ne $error ]; then
echo "error count was $found expected $error"
ret=1
fi
# check for correct number of errors
found=$(grep ERROR coverage.$n | wc -l)
if [ $found -ne $error ]; then
echo "error count was $found expected $error"
ret=1
fi
# check for correct number of warnings
found=`grep WARNING coverage.$n | wc -l`
if [ $found -ne $warn ]; then
echo "warning count was $found expected $warn"
ret=1
fi
# check for correct number of warnings
found=$(grep WARNING coverage.$n | wc -l)
if [ $found -ne $warn ]; then
echo "warning count was $found expected $warn"
ret=1
fi
# check for correct number of OKs
found=`grep "No errors found" coverage.$n | wc -l`
if [ $found -ne $ok ]; then
echo "good count was $found expected $ok"
ret=1
fi
# check for correct number of OKs
found=$(grep "No errors found" coverage.$n | wc -l)
if [ $found -ne $ok ]; then
echo "good count was $found expected $ok"
ret=1
fi
found=`matchall coverage.$n "$match"`
if [ "$found" = "FAIL" ]; then
echo "no match on '$match'"
ret=1
fi
found=$(matchall coverage.$n "$match")
if [ "$found" = "FAIL" ]; then
echo "no match on '$match'"
ret=1
fi
found=`grep Traceback coverage.$n | wc -l`
if [ $found -ne 0 ]; then
echo "python exception detected"
ret=1
fi
found=$(grep Traceback coverage.$n | wc -l)
if [ $found -ne 0 ]; then
echo "python exception detected"
ret=1
fi
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$(expr $status + $ret)
done
echo_i "exit status: $status"

27
bin/tests/system/database/tests.sh
View file

@ -26,11 +26,11 @@ RNDCCMD="$RNDC -s 10.53.0.1 -p ${CONTROLPORT} -c ../common/rndc.conf"
echo_i "checking pre reload zone ($n)"
ret=0
$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "hostmaster\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
$DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1
grep "hostmaster\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
copy_setports ns1/named2.conf.in ns1/named.conf
$RNDCCMD reload 2>&1 >/dev/null
@ -38,18 +38,17 @@ $RNDCCMD reload 2>&1 >/dev/null
echo_i "checking post reload zone ($n)"
ret=1
try=0
while test $try -lt 6
do
sleep 1
ret=0
$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "marka\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1
try=`expr $try + 1`
test $ret -eq 0 && break
while test $try -lt 6; do
sleep 1
ret=0
$DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1
grep "marka\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1
try=$(expr $try + 1)
test $ret -eq 0 && break
done
n=`expr $n + 1`
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

46
bin/tests/system/dialup/tests.sh
View file

@ -22,44 +22,40 @@ DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p ${PORT}"
# Check the example. domain
$DIG $DIGOPTS example. @10.53.0.1 soa > dig.out.ns1.test || ret=1
$DIG $DIGOPTS example. @10.53.0.1 soa >dig.out.ns1.test || ret=1
echo_i "checking that first zone transfer worked"
ret=0
try=0
while test $try -lt 120
do
$DIG $DIGOPTS example. @10.53.0.2 soa > dig.out.ns2.test || ret=1
if grep SERVFAIL dig.out.ns2.test > /dev/null
then
try=`expr $try + 1`
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns2.test || ret=1
break;
fi
while test $try -lt 120; do
$DIG $DIGOPTS example. @10.53.0.2 soa >dig.out.ns2.test || ret=1
if grep SERVFAIL dig.out.ns2.test >/dev/null; then
try=$(expr $try + 1)
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns2.test || ret=1
break
fi
done
echo_i "try $try"
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking that second zone transfer worked"
ret=0
try=0
while test $try -lt 120
do
$DIG $DIGOPTS example. @10.53.0.3 soa > dig.out.ns3.test || ret=1
if grep SERVFAIL dig.out.ns3.test > /dev/null
then
try=`expr $try + 1`
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns3.test || ret=1
break;
fi
while test $try -lt 120; do
$DIG $DIGOPTS example. @10.53.0.3 soa >dig.out.ns3.test || ret=1
if grep SERVFAIL dig.out.ns3.test >/dev/null; then
try=$(expr $try + 1)
sleep 1
else
digcomp dig.out.ns1.test dig.out.ns3.test || ret=1
break
fi
done
echo_i "try $try"
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

10
bin/tests/system/digdelv/ns2/sign.sh
View file

@ -20,10 +20,10 @@ ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.)
cp example.db.in example.db
"$SIGNER" -Sz -f example.db -o example example.db.in > /dev/null 2>&1
"$SIGNER" -Sz -f example.db -o example example.db.in >/dev/null 2>&1
keyfile_to_key_id "$ksk" > keyid
grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata
keyfile_to_key_id "$ksk" >keyid
grep -Ev '^;' <"$ksk.key" | cut -f 7- -d ' ' >keydata
keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey
keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds
keyfile_to_initial_keys "$ksk" >../ns3/anchor.dnskey
keyfile_to_initial_ds "$ksk" >../ns3/anchor.ds

9
bin/tests/system/digdelv/prereq.sh
View file

@ -16,10 +16,9 @@
set -e
if $PERL -e 'use Net::DNS;' 2>/dev/null
then
:
if $PERL -e 'use Net::DNS;' 2>/dev/null; then
:
else
echo_i "This test requires the Net::DNS library." >&2
exit 1
echo_i "This test requires the Net::DNS library." >&2
exit 1
fi

1229
bin/tests/system/digdelv/tests.sh
View file

File diff suppressed because it is too large Load diff

4
bin/tests/system/dlz/prereq.sh
View file

@ -15,7 +15,7 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if ! $FEATURETEST --with-dlz-filesystem; then
echo_i "DLZ filesystem driver not supported"
exit 255
echo_i "DLZ filesystem driver not supported"
exit 255
fi
exit 0

58
bin/tests/system/dlz/tests.sh
View file

@ -26,52 +26,52 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
echo_i "checking DNAME at apex works ($n)"
ret=0
$DIG $DIGOPTS +norec foo.example.com. \
@10.53.0.1 a > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "example.com..*DNAME.*example.net." dig.out.ns1.test$n > /dev/null || ret=1
grep "foo.example.com..*CNAME.*foo.example.net." dig.out.ns1.test$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
@10.53.0.1 a >dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
grep "example.com..*DNAME.*example.net." dig.out.ns1.test$n >/dev/null || ret=1
grep "foo.example.com..*CNAME.*foo.example.net." dig.out.ns1.test$n >/dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking DLZ IXFR=2010062899 (less than serial) ($n)"
ret=0
$DIG $DIGOPTS ixfr=2010062899 example.com @10.53.0.1 +all > dig.out.ns1.test$n
grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1
grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null || ret=1
grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
$DIG $DIGOPTS ixfr=2010062899 example.com @10.53.0.1 +all >dig.out.ns1.test$n
grep "example.com..*IN.IXFR" dig.out.ns1.test$n >/dev/null || ret=1
grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n >/dev/null || ret=1
grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n >/dev/null || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking DLZ IXFR=2010062900 (equal serial) ($n)"
ret=0
$DIG $DIGOPTS ixfr=2010062900 example.com @10.53.0.1 +all > dig.out.ns1.test$n
grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1
grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null && ret=1
grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
$DIG $DIGOPTS ixfr=2010062900 example.com @10.53.0.1 +all >dig.out.ns1.test$n
grep "example.com..*IN.IXFR" dig.out.ns1.test$n >/dev/null || ret=1
grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n >/dev/null && ret=1
grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n >/dev/null && ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking DLZ IXFR=2010062901 (greater than serial) ($n)"
ret=0
$DIG $DIGOPTS ixfr=2010062901 example.com @10.53.0.1 +all > dig.out.ns1.test$n
grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1
grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null && ret=1
grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
$DIG $DIGOPTS ixfr=2010062901 example.com @10.53.0.1 +all >dig.out.ns1.test$n
grep "example.com..*IN.IXFR" dig.out.ns1.test$n >/dev/null || ret=1
grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n >/dev/null && ret=1
grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n >/dev/null && ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking DLZ with a malformed SOA record"
ret=0
$DIG $DIGOPTS broken.com type600 @10.53.0.1 > dig.out.ns1.test$n
grep status: dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
$DIG $DIGOPTS broken.com type600 @10.53.0.1 >dig.out.ns1.test$n
grep status: dig.out.ns1.test$n >/dev/null || ret=1
n=$(expr $n + 1)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

10
bin/tests/system/dlzexternal/prereq.sh
View file

@ -14,14 +14,14 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$FEATURETEST --have-dlopen || {
echo_i "dlopen() not supported - skipping dlzexternal test"
exit 255
$FEATURETEST --have-dlopen || {
echo_i "dlopen() not supported - skipping dlzexternal test"
exit 255
}
$FEATURETEST --tsan && {
echo_i "TSAN - skipping dlzexternal test"
exit 255
echo_i "TSAN - skipping dlzexternal test"
exit 255
}
exit 0

2
bin/tests/system/dlzexternal/setup.sh
View file

@ -14,6 +14,6 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
$DDNSCONFGEN -q -z example.nil >ns1/ddns.key
copy_setports ns1/named.conf.in ns1/named.conf

210
bin/tests/system/dlzexternal/tests.sh
View file

@ -21,210 +21,210 @@ DIGOPTS="@10.53.0.1 -p ${PORT} +nocookie"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
newtest() {
n=`expr $n + 1`
echo_i "${1} (${n})"
ret=0
n=$(expr $n + 1)
echo_i "${1} (${n})"
ret=0
}
test_update() {
host="$1"
type="$2"
cmd="$3"
digout="$4"
should_fail="$5"
host="$1"
type="$2"
cmd="$3"
digout="$4"
should_fail="$5"
cat <<EOF > ns1/update.txt
cat <<EOF >ns1/update.txt
server 10.53.0.1 ${PORT}
update add $host $cmd
send
EOF
newtest "testing update for $host $type $cmd${comment:+ }$comment"
$NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 || {
[ "$should_fail" ] || \
echo_i "update failed for $host $type $cmd"
return 1
}
newtest "testing update for $host $type $cmd${comment:+ }$comment"
$NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 || {
[ "$should_fail" ] \
|| echo_i "update failed for $host $type $cmd"
return 1
}
out=`$DIG $DIGOPTS -t $type -q $host | grep -E "^$host"`
lines=`echo "$out" | grep "$digout" | wc -l`
[ $lines -eq 1 ] || {
[ "$should_fail" ] || \
echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
return 0
out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host")
lines=$(echo "$out" | grep "$digout" | wc -l)
[ $lines -eq 1 ] || {
[ "$should_fail" ] \
|| echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
return 0
}
test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_update testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_update testdc3.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fail && ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing nxrrset"
$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n
grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1
status=`expr $status + $ret`
$DIG $DIGOPTS testdc1.example.nil AAAA >dig.out.$n
grep "status: NOERROR" dig.out.$n >/dev/null || ret=1
grep "ANSWER: 0" dig.out.$n >/dev/null || ret=1
status=$(expr $status + $ret)
newtest "testing prerequisites are checked correctly"
cat > ns1/update.txt << EOF
cat >ns1/update.txt <<EOF
server 10.53.0.1 ${PORT}
prereq nxdomain testdc3.example.nil
update add testdc3.example.nil 86500 in a 10.53.0.12
send
EOF
$NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 && ret=1
out=`$DIG $DIGOPTS +short a testdc3.example.nil`
$NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 && ret=1
out=$($DIG $DIGOPTS +short a testdc3.example.nil)
[ "$out" = "10.53.0.12" ] && ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing passing client info into DLZ driver"
out=`$DIG $DIGOPTS +short -t txt -q source-addr.example.nil | grep -v '^;'`
addr=`eval echo "$out" | cut -f1 -d'#'`
out=$($DIG $DIGOPTS +short -t txt -q source-addr.example.nil | grep -v '^;')
addr=$(eval echo "$out" | cut -f1 -d'#')
[ "$addr" = "10.53.0.1" ] || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing DLZ driver is cleaned up on reload"
rndc_reload ns1 10.53.0.1
for i in 0 1 2 3 4 5 6 7 8 9; do
ret=0
grep 'dlz_example: shutting down zone example.nil' ns1/named.run > /dev/null 2>&1 || ret=1
[ "$ret" -eq 0 ] && break
sleep 1
ret=0
grep 'dlz_example: shutting down zone example.nil' ns1/named.run >/dev/null 2>&1 || ret=1
[ "$ret" -eq 0 ] && break
sleep 1
done
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing multiple DLZ drivers"
test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing AXFR from DLZ drivers"
$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n
lines=`cat dig.out.example.ns1.test$n | wc -l`
$DIG $DIGOPTS +noall +answer axfr example.nil >dig.out.example.ns1.test$n
lines=$(cat dig.out.example.ns1.test$n | wc -l)
[ ${lines:-0} -eq 4 ] || ret=1
$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
lines=`cat dig.out.alternate.ns1.test$n | wc -l`
$DIG $DIGOPTS +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n
lines=$(cat dig.out.alternate.ns1.test$n | wc -l)
[ ${lines:-0} -eq 5 ] || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing AXFR denied from DLZ drivers"
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n
grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil >dig.out.example.ns1.test$n
grep "; Transfer failed" dig.out.example.ns1.test$n >/dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n
grep "; Transfer failed" dig.out.alternate.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing AXFR denied based on view ACL"
# 10.53.0.1 should be disallowed
$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1
grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org >dig.out.example.ns1.test$n.1
grep "; Transfer failed" dig.out.example.ns1.test$n.1 >/dev/null || ret=1
# 10.53.0.2 should be allowed
$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2
grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1
$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org >dig.out.example.ns1.test$n.2
grep "; Transfer failed" dig.out.example.ns1.test$n.2 >/dev/null && ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing unsearched/unregistered DLZ zone is not found"
$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noall +answer ns other.nil >dig.out.ns1.test$n
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n >/dev/null && ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing unsearched/registered DLZ zone is found"
$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing unsearched/registered DLZ zone is found"
$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n
grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing correct behavior with findzone returning ISC_R_NOMORE"
$DIG $DIGOPTS +noall a test.example.com > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS +noall a test.example.com >/dev/null 2>&1 || ret=1
# we should only find one logged lookup per searched DLZ database
lines=`grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l`
lines=$(grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l)
[ $lines -eq 1 ] || ret=1
lines=`grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run | wc -l`
lines=$(grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run | wc -l)
[ $lines -eq 1 ] || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing findzone can return different results per client"
$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net >/dev/null 2>&1 || ret=1
# we should only find one logged lookup per searched DLZ database
lines=`grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l`
lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l)
[ $lines -eq 1 ] || ret=1
lines=`grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l`
lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l)
[ $lines -eq 1 ] || ret=1
$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net >/dev/null 2>&1 || ret=1
# we should find several logged lookups this time
lines=`grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l`
lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l)
[ $lines -gt 2 ] || ret=1
lines=`grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l`
lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l)
[ $lines -gt 2 ] || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing zone returning oversized data"
$DIG $DIGOPTS txt too-long.example.nil > dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS txt too-long.example.nil >dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "testing zone returning oversized data at zone origin"
$DIG $DIGOPTS txt bigcname.domain > dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS txt bigcname.domain >dig.out.ns1.test$n 2>&1 || ret=1
grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "checking redirected lookup for nonexistent name"
$DIG $DIGOPTS @10.53.0.1 unexists a > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 unexists a >dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "checking no redirected lookup for nonexistent type"
$DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS @10.53.0.1 exists aaaa >dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "checking redirected lookup for a long nonexistent name"
$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
lookups=`grep "lookup #.*\.not\.there" ns1/named.run | wc -l`
$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a >dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1
grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n >/dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1
lookups=$(grep "lookup #.*\.not\.there" ns1/named.run | wc -l)
[ "$lookups" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "checking ECS data is passed to driver in clientinfo"
$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt > dig.out.ns1.test$n.1 || ret=1
grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS +short source-addr.example.nil txt > dig.out.ns1.test$n.2 || ret=1
grep "not.*present" dig.out.ns1.test$n.2 > /dev/null || ret=1
$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt >dig.out.ns1.test$n.1 || ret=1
grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 >/dev/null || ret=1
$DIG $DIGOPTS +short source-addr.example.nil txt >dig.out.ns1.test$n.2 || ret=1
grep "not.*present" dig.out.ns1.test$n.2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

4
bin/tests/system/dns64/ns1/sign.sh
View file

@ -21,6 +21,6 @@ zonefile=signed.db
key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM $zone)
key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone)
cat $infile $key1.key $key2.key > $zonefile
cat $infile $key1.key $key2.key >$zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null
$SIGNER -P -g -o $zone $zonefile >/dev/null

1532
bin/tests/system/dns64/tests.sh
View file

File diff suppressed because it is too large Load diff

20
bin/tests/system/dnssec/ns1/sign.sh
View file

@ -20,9 +20,9 @@ zone=.
infile=root.db.in
zonefile=root.db
(cd ../ns2 && $SHELL sign.sh )
(cd ../ns6 && $SHELL sign.sh )
(cd ../ns7 && $SHELL sign.sh )
(cd ../ns2 && $SHELL sign.sh)
(cd ../ns6 && $SHELL sign.sh)
(cd ../ns7 && $SHELL sign.sh)
echo_i "ns1/sign.sh"
@ -30,18 +30,18 @@ cp "../ns2/dsset-example$TP" .
cp "../ns2/dsset-in-addr.arpa$TP" .
cp "../ns2/dsset-too-many-iterations$TP" .
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP"
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" >"dsset-algroll$TP"
cp "../ns6/dsset-optout-tld$TP" .
ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1
# Configure the resolving server with a staitc key.
keyfile_to_static_ds "$ksk" > trusted.conf
keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
@ -49,14 +49,14 @@ cp trusted.conf ../ns6/trusted.conf
cp trusted.conf ../ns7/trusted.conf
cp trusted.conf ../ns9/trusted.conf
keyfile_to_trusted_keys "$ksk" > trusted.keys
keyfile_to_trusted_keys "$ksk" >trusted.keys
# ...or with an initializing key.
keyfile_to_initial_ds "$ksk" > managed.conf
keyfile_to_initial_ds "$ksk" >managed.conf
cp managed.conf ../ns4/managed.conf
#
# Save keyid for managed key id test.
#
keyfile_to_key_id "$ksk" > managed.key.id
keyfile_to_key_id "$ksk" >managed.key.id

146
bin/tests/system/dnssec/ns2/sign.sh
View file

@ -17,15 +17,14 @@
set -e
# Sign child zones (served by ns3).
( cd ../ns3 && $SHELL sign.sh )
(cd ../ns3 && $SHELL sign.sh)
echo_i "ns2/sign.sh"
# Get the DS records for the "trusted." and "managed." zones.
for subdomain in secure unsupported disabled enabled
do
cp "../ns3/dsset-$subdomain.managed$TP" .
cp "../ns3/dsset-$subdomain.trusted$TP" .
for subdomain in secure unsupported disabled enabled; do
cp "../ns3/dsset-$subdomain.managed$TP" .
cp "../ns3/dsset-$subdomain.trusted$TP" .
done
# Sign the "trusted." and "managed." zones.
@ -36,9 +35,9 @@ zonefile=managed.db
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
zone=trusted.
infile=key.db.in
@ -47,9 +46,9 @@ zonefile=trusted.db
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
# The "example." zone.
zone=example.
@ -58,23 +57,22 @@ zonefile=example.db
# Get the DS records for the "example." zone.
for subdomain in secure badds bogus dynamic keyless nsec3 optout \
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
dnskey-nsec3-unknown managed-future revkey \
dname-at-apex-nsec3 occluded
do
cp "../ns3/dsset-$subdomain.example$TP" .
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
dnskey-nsec3-unknown managed-future revkey \
dname-at-apex-nsec3 occluded; do
cp "../ns3/dsset-$subdomain.example$TP" .
done
# Sign the "example." zone.
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
#
# lower/uppercase the signature bits with the exception of the last characters
@ -82,9 +80,9 @@ cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
#
zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" |
tr -d '\r' |
awk '
"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
| tr -d '\r' \
| awk '
tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
for (i = 1; i <= NF; i++ ) {
if (i <= 12) {
@ -123,7 +121,7 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
next;
}
{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed"
{ print; }' >"$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed"
#
# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned.
@ -135,8 +133,8 @@ zonefile=in-addr.arpa.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
# Sign the badparam secure file
@ -147,11 +145,11 @@ zonefile=badparam.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad"
sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" >"$zonefile.bad"
# Sign the single-nsec3 secure zone with optout
@ -162,9 +160,9 @@ zonefile=single-nsec3.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
#
# algroll has just has the old DNSKEY records removed and is waiting
@ -180,9 +178,9 @@ keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zon
keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile"
"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" >/dev/null 2>&1
#
# Make a zone big enough that it takes several seconds to generate a new
@ -190,7 +188,7 @@ cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
#
zone=nsec3chain-test
zonefile=nsec3chain-test.db
cat > "$zonefile" << EOF
cat >"$zonefile" <<EOF
\$TTL 10
@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200
@ 10 NS ns2
@ -200,22 +198,22 @@ ns3 10 A 10.53.0.3
EOF
i=1
while [ $i -le 300 ]; do
echo "host$i 10 IN NS ns.elsewhere"
i=$((i+1))
done >> "$zonefile"
echo "host$i 10 IN NS ns.elsewhere"
i=$((i + 1))
done >>"$zonefile"
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$key1.key" "$key2.key" >> "$zonefile"
"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
cat "$key1.key" "$key2.key" >>"$zonefile"
"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1
zone=cds.secure
infile=cds.secure.db.in
zonefile=cds.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
"$DSFROMKEY" -C "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-x.secure
infile=cds.secure.db.in
@ -223,43 +221,43 @@ zonefile=cds-x.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
"$DSFROMKEY" -C "$key2.key" > "$key2.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile"
"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
"$DSFROMKEY" -C "$key2.key" >"$key2.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile"
"$SIGNER" -P -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-update.secure
infile=cds-update.secure.db.in
zonefile=cds-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-kskonly.secure
infile=cds-kskonly.secure.db.in
zonefile=cds-kskonly.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
keyfile_to_key_id "$key1" > cds-kskonly.secure.id
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1
keyfile_to_key_id "$key1" >cds-kskonly.secure.id
zone=cds-auto.secure
infile=cds-auto.secure.db.in
zonefile=cds-auto.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
$SETTIME -P sync now "$key1" > /dev/null
cat "$infile" > "$zonefile.signed"
$SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
zone=cdnskey.secure
infile=cdnskey.secure.db.in
zonefile=cdnskey.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-x.secure
infile=cdnskey.secure.db.in
@ -267,34 +265,34 @@ zonefile=cdnskey-x.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile"
"$SIGNER" -P -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-update.secure
infile=cdnskey-update.secure.db.in
zonefile=cdnskey-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-kskonly.secure
infile=cdnskey-kskonly.secure.db.in
zonefile=cdnskey-kskonly.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1
keyfile_to_key_id "$key1" >cdnskey-kskonly.secure.id
zone=cdnskey-auto.secure
infile=cdnskey-auto.secure.db.in
zonefile=cdnskey-auto.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
$SETTIME -P sync now "$key1" > /dev/null
cat "$infile" > "$zonefile.signed"
$SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
zone=updatecheck-kskonly.secure
infile=template.secure.db.in
@ -302,14 +300,14 @@ zonefile=${zone}.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
# Save key id's for checking active key usage
keyfile_to_key_id "$key1" > $zone.ksk.id
keyfile_to_key_id "$key2" > $zone.zsk.id
echo "${key1}" > $zone.ksk.key
echo "${key2}" > $zone.zsk.key
keyfile_to_key_id "$key1" >$zone.ksk.id
keyfile_to_key_id "$key2" >$zone.zsk.id
echo "${key1}" >$zone.ksk.key
echo "${key2}" >$zone.zsk.key
# Add CDS and CDNSKEY records
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey"
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile"
sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cdnskey"
"$DSFROMKEY" -C "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" >"$zonefile"
# Don't sign, let auto-dnssec maintain do it.
mv $zonefile "$zonefile.signed"
@ -318,8 +316,8 @@ infile=hours-vs-days.db.in
zonefile=hours-vs-days.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
$SETTIME -P sync now "$key1" > /dev/null
cat "$infile" > "$zonefile.signed"
$SETTIME -P sync now "$key1" >/dev/null
cat "$infile" >"$zonefile.signed"
#
# Negative result from this zone should come back as insecure.
@ -329,5 +327,5 @@ infile=too-many-iterations.db.in
zonefile=too-many-iterations.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1

289
bin/tests/system/dnssec/ns3/sign.sh
View file

@ -19,61 +19,60 @@ set -e
echo_i "ns3/sign.sh"
infile=key.db.in
for tld in managed trusted
do
# A secure zone to test.
zone=secure.${tld}
zonefile=${zone}.db
for tld in managed trusted; do
# A secure zone to test.
zone=secure.${tld}
zonefile=${zone}.db
keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
# Zone to test trust anchor that matches disabled algorithm.
zone=disabled.${tld}
zonefile=${zone}.db
# Zone to test trust anchor that matches disabled algorithm.
zone=disabled.${tld}
zonefile=${zone}.db
keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname2.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname2.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
# Zone to test trust anchor that has disabled algorithm for other domain.
zone=enabled.${tld}
zonefile=${zone}.db
# Zone to test trust anchor that has disabled algorithm for other domain.
zone=enabled.${tld}
zonefile=${zone}.db
keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname3.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname3.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
# Zone to test trust anchor with unsupported algorithm.
zone=unsupported.${tld}
zonefile=${zone}.db
# Zone to test trust anchor with unsupported algorithm.
zone=unsupported.${tld}
zonefile=${zone}.db
keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname4.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname4.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
# Make trusted-keys and managed keys conf sections for ns8.
mv ${keyname4}.key ${keyname4}.tmp
awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key
# Make trusted-keys and managed keys conf sections for ns8.
mv ${keyname4}.key ${keyname4}.tmp
awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key
# Zone to test trust anchor that is revoked.
zone=revoked.${tld}
zonefile=${zone}.db
# Zone to test trust anchor that is revoked.
zone=revoked.${tld}
zonefile=${zone}.db
keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname5.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname5.key" >"$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
case $tld in
"managed")
keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf
;;
"trusted")
keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf
;;
esac
case $tld in
"managed")
keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf
;;
"trusted")
keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf
;;
esac
done
echo_i "ns3/sign.sh: example zones"
@ -86,9 +85,9 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n
dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
zone=bogus.example.
infile=bogus.example.db.in
@ -96,9 +95,9 @@ zonefile=bogus.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
zone=dynamic.example.
infile=dynamic.example.db.in
@ -107,9 +106,9 @@ zonefile=dynamic.example.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
zone=keyless.example.
infile=generic.example.db.in
@ -117,16 +116,16 @@ zonefile=keyless.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
# Change the signer field of the a.b.keyless.example RRSIG A
# to point to a provably nonexistent DNSKEY record.
zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
mv "$zonefile.signed" "$zonefiletmp"
<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/
if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed"
"$PERL" <"$zonefiletmp" -p -e 's/ keyless.example/ b.keyless.example/
if /^a.b.keyless.example/../A RRSIG NSEC/;' >"$zonefile.signed"
rm -f "$zonefiletmp"
#
@ -138,9 +137,9 @@ zonefile=secure.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# NSEC3/NSEC3 test zone
@ -151,9 +150,9 @@ zonefile=nsec3.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC3 test zone
@ -164,9 +163,9 @@ zonefile=optout.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A nsec3 zone (non-optout).
@ -177,9 +176,9 @@ zonefile=nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC test zone
@ -190,9 +189,9 @@ zonefile=secure.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC3 test zone
@ -203,9 +202,9 @@ zonefile=nsec3.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/OPTOUT test zone
@ -216,9 +215,9 @@ zonefile=optout.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A optout nsec3 zone.
@ -229,9 +228,9 @@ zonefile=optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
@ -242,9 +241,9 @@ zonefile=nsec3-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" >/dev/null
#
# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
@ -255,9 +254,9 @@ zonefile=optout-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" >/dev/null
#
# A zone that is signed with an unknown DNSKEY algorithm.
@ -269,14 +268,14 @@ zonefile=dnskey-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed
awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}${TP}"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A zone that is signed with an unsupported DNSKEY algorithm (3).
@ -288,14 +287,14 @@ zonefile=dnskey-unsupported.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}${TP}"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A zone with a published unsupported DNSKEY algorithm (Reserved).
@ -308,9 +307,9 @@ zonefile=dnskey-unsupported-2.example.db
ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null
#
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
@ -322,14 +321,14 @@ zonefile=dnskey-nsec3-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}${TP}"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A multiple parameter nsec3 zone.
@ -340,19 +339,19 @@ zonefile=multiple.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
mv "$zonefile".signed "$zonefile"
"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -u3 - -o "$zone" "$zonefile" >/dev/null
mv "$zonefile".signed "$zonefile"
"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" >/dev/null
mv "$zonefile".signed "$zonefile"
"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" >/dev/null
mv "$zonefile".signed "$zonefile"
"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" >/dev/null
mv "$zonefile".signed "$zonefile"
"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" >/dev/null
#
# A RSASHA256 zone.
@ -363,9 +362,9 @@ zonefile=rsasha256.example.db
keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A RSASHA512 zone.
@ -376,9 +375,9 @@ zonefile=rsasha512.example.db
keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A zone with the DNSKEY set only signed by the KSK
@ -389,8 +388,8 @@ zonefile=kskonly.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -x -o "$zone" "$zonefile" >/dev/null
#
# A zone with the expired signatures
@ -401,8 +400,8 @@ zonefile=expired.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" >/dev/null
rm -f "$kskname.*" "$zskname.*"
#
@ -414,8 +413,8 @@ zonefile=update-nsec3.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# A NSEC signed zone that will have auto-dnssec enabled and
@ -429,8 +428,8 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A NSEC3 signed zone that will have auto-dnssec enabled and
@ -444,8 +443,8 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone"
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# Secure below cname test zone.
@ -454,8 +453,8 @@ zone=secure.below-cname.example.
infile=secure.below-cname.example.db.in
zonefile=secure.below-cname.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# Patched TTL test zone.
@ -467,11 +466,11 @@ signedfile=ttlpatch.example.db.signed
patchedfile=ttlpatch.example.db.patched
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null
$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \
awk '{$2 = "3600"; print}' > $patchedfile
"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" >/dev/null
$CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \
| awk '{$2 = "3600"; print}' >$patchedfile
#
# Separate DNSSEC records.
@ -482,10 +481,10 @@ zonefile=split-dnssec.example.db
signedfile=split-dnssec.example.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$keyname.key" >"$zonefile"
echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
: >"$signedfile"
"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null
#
# Separate DNSSEC records smart signing.
@ -498,9 +497,9 @@ signedfile=split-smart.example.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cp "$infile" "$zonefile"
# shellcheck disable=SC2016
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null
echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
: >"$signedfile"
"$SIGNER" -P -S -D -o "$zone" "$zonefile" >/dev/null
#
# Zone with signatures about to expire, but no private key to replace them
@ -512,7 +511,7 @@ signedfile="expiring.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" >/dev/null
mv -f "${zskname}.private" "${zskname}.private.moved"
mv -f "${kskname}.private" "${kskname}.private.moved"
@ -527,9 +526,9 @@ signedfile="upper.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null
$CHECKZONE -D upper.example $lower 2>/dev/null | \
sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null
$CHECKZONE -D upper.example $lower 2>/dev/null \
| sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile
#
# Check that the signer's name is in lower case when zone name is in
@ -542,7 +541,7 @@ signedfile="lower.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null
#
# Zone with signatures about to expire, and dynamic, but configured
@ -555,11 +554,11 @@ signedfile="nosign.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" >/dev/null
# preserve a normalized copy of the NS RRSIG for comparison later
$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
sed 's/[ ][ ]*/ /g'> ../nosign.before
$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null \
| awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' \
| sed 's/[ ][ ]*/ /g' >../nosign.before
#
# An inline signing zone
@ -580,7 +579,7 @@ kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b
kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -S -o "$zone" "$zonefile" >/dev/null
#
# A zone which will change its sig-validity-interval
@ -602,10 +601,10 @@ zonefile=badds.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
sed -e 's/bogus/badds/g' <dsset-bogus.example$TP >dsset-badds.example$TP
#
# A zone with future signatures.
@ -615,8 +614,8 @@ infile=future.example.db.in
zonefile=future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null
cp -f "$kskname.key" trusted-future.key
#
@ -627,8 +626,8 @@ infile=managed-future.example.db.in
zonefile=managed-future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null
#
# A zone with a revoked key
@ -642,8 +641,8 @@ ksk1=$("$REVOKE" "$ksk1")
ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone")
cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
@ -655,7 +654,7 @@ zonefile=dname-at-apex-nsec3.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# A NSEC zone with occuded data at the delegation
@ -667,7 +666,7 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone")
$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP"
$DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}$TP"
cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
"${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
"${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null

12
bin/tests/system/dnssec/ns5/sign.sh
View file

@ -25,15 +25,15 @@ zonefile=root.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
# copy the KSK out first, then revoke it
keyfile_to_initial_ds "$keyname" > revoked.conf
keyfile_to_initial_ds "$keyname" >revoked.conf
"$SETTIME" -R now "${keyname}.key" > /dev/null
"$SETTIME" -R now "${keyname}.key" >/dev/null
# create a current set of keys, and sign the root zone
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null
"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone >/dev/null
"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone >/dev/null
"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" >/dev/null 2>&1
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
keyfile_to_static_ds "$keyname" > trusted.conf
keyfile_to_static_ds "$keyname" >trusted.conf

4
bin/tests/system/dnssec/ns6/sign.sh
View file

@ -24,6 +24,6 @@ zonefile=optout-tld.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
cat "$infile" "$keyname.key" >"$zonefile"
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" >/dev/null 2>&1

6
bin/tests/system/dnssec/ns7/sign.sh
View file

@ -25,7 +25,7 @@ zonefile=split-rrsig.db
k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$k1.key" "$k2.key" > "$zonefile"
cat "$infile" "$k1.key" "$k2.key" >"$zonefile"
# The awk script below achieves two goals:
#
@ -37,8 +37,8 @@ cat "$infile" "$k1.key" "$k2.key" > "$zonefile"
# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the
# zone apex; the test then checks whether such signatures are automatically
# removed from the zone after it is loaded.
"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1
awk 'BEGIN { r = ""; }
$4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; }
{ print }
END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed"
END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed"

38
bin/tests/system/dnssec/prereq.sh
View file

@ -16,30 +16,26 @@
set -e
if test -n "$PYTHON"
then
if $PYTHON -c "import dns" 2> /dev/null
then
:
else
echo_i "This test requires the dnspython module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
if test -n "$PYTHON"; then
if $PYTHON -c "import dns" 2>/dev/null; then
:
else
echo_i "This test requires the dnspython module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
exit 1
fi
if "$PERL" -e 'use Net::DNS;' 2>/dev/null
then
# shellcheck disable=SC2016
if "$PERL" -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null
then
:
else
echo_i "Net::DNS versions 0.69 to 0.70 have bugs that cause this test to fail: please update." >&2
exit 1
fi
if "$PERL" -e 'use Net::DNS;' 2>/dev/null; then
# shellcheck disable=SC2016
if "$PERL" -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null; then
:
else
echo_i "Net::DNS versions 0.69 to 0.70 have bugs that cause this test to fail: please update." >&2
exit 1
fi
fi
exit 0

22
bin/tests/system/dnssec/setup.sh
View file

@ -32,21 +32,21 @@ copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
(
cd ns1
$SHELL sign.sh
{
echo "a.bogus.example. A 10.0.0.22"
echo "b.bogus.example. A 10.0.0.23"
echo "c.bogus.example. A 10.0.0.23"
} >>../ns3/bogus.example.db.signed
cd ns1
$SHELL sign.sh
{
echo "a.bogus.example. A 10.0.0.22"
echo "b.bogus.example. A 10.0.0.23"
echo "c.bogus.example. A 10.0.0.23"
} >>../ns3/bogus.example.db.signed
)
(
cd ns3
cp -f siginterval1.conf siginterval.conf
cd ns3
cp -f siginterval1.conf siginterval.conf
)
(
cd ns5
$SHELL sign.sh
cd ns5
$SHELL sign.sh
)

4216
bin/tests/system/dnssec/tests.sh
View file

File diff suppressed because it is too large Load diff

4
bin/tests/system/dnstap/prereq.sh
View file

@ -14,7 +14,7 @@
. ../conf.sh
$FEATURETEST --enable-dnstap || {
echo_i "This test requires dnstap support." >&2
exit 255
echo_i "This test requires dnstap support." >&2
exit 255
}
exit 0

957
bin/tests/system/dnstap/tests.sh
View file

File diff suppressed because it is too large Load diff

25
bin/tests/system/dscp/tests.sh
View file

@ -24,18 +24,19 @@ status=0
# 10.53.0.7 has dscp set in zone *-source clauses;
#
for server in 10.53.0.1 10.53.0.2 10.53.0.3 10.53.0.4 10.53.0.5 \
10.53.0.6 10.53.0.7
do
echo_i "testing root SOA lookup at $server"
for i in 0 1 2 3 4 5 6 7 8 9
do
ret=0
$DIG $DIGOPTS @$server soa . > dig.out.$server
grep "status: NOERROR" dig.out.$server > /dev/null || ret=1
test $ret = 0 && break
sleep 1
done
test $ret = 0 || { echo_i "failed"; status=`expr $status + $ret`; }
10.53.0.6 10.53.0.7; do
echo_i "testing root SOA lookup at $server"
for i in 0 1 2 3 4 5 6 7 8 9; do
ret=0
$DIG $DIGOPTS @$server soa . >dig.out.$server
grep "status: NOERROR" dig.out.$server >/dev/null || ret=1
test $ret = 0 && break
sleep 1
done
test $ret = 0 || {
echo_i "failed"
status=$(expr $status + $ret)
}
done
echo_i "exit status: $status"

6
bin/tests/system/dsdigest/ns1/sign.sh
View file

@ -26,12 +26,12 @@ cp ../ns2/dsset-bad$TP .
key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
cat $infile $key1.key $key2.key > $zonefile
cat $infile $key1.key $key2.key >$zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null
$SIGNER -P -g -o $zone $zonefile >/dev/null
# Configure the resolving server with a static key.
keyfile_to_static_ds $key2 > trusted.conf
keyfile_to_static_ds $key2 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf

13
bin/tests/system/dsdigest/ns2/sign.sh
View file

@ -29,16 +29,15 @@ keyname22=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone2)
cat $infile1 $keyname11.key $keyname12.key >$zonefile1
cat $infile2 $keyname21.key $keyname22.key >$zonefile2
$SIGNER -P -g -o $zone1 $zonefile1 > /dev/null
$SIGNER -P -g -o $zone2 $zonefile2 > /dev/null
$SIGNER -P -g -o $zone1 $zonefile1 >/dev/null
$SIGNER -P -g -o $zone2 $zonefile2 >/dev/null
DSFILENAME1=dsset-${zone1}${TP}
DSFILENAME2=dsset-${zone2}${TP}
$DSFROMKEY -a SHA-256 $keyname12 > $DSFILENAME1
$DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2
$DSFROMKEY -a SHA-256 $keyname12 >$DSFILENAME1
$DSFROMKEY -a SHA-256 $keyname22 >$DSFILENAME2
algo=SHA-384
$DSFROMKEY -a $algo $keyname12 >> $DSFILENAME1
$DSFROMKEY -a $algo $keyname22 > $DSFILENAME2
$DSFROMKEY -a $algo $keyname12 >>$DSFILENAME1
$DSFROMKEY -a $algo $keyname22 >$DSFILENAME2

28
bin/tests/system/dsdigest/tests.sh
View file

@ -24,31 +24,31 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
echo_i "checking that validation with enabled digest types works"
ret=0
$DIG $DIGOPTS a.good. @10.53.0.3 a > dig.out.good || ret=1
grep "status: NOERROR" dig.out.good > /dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.good > /dev/null || ret=1
$DIG $DIGOPTS a.good. @10.53.0.3 a >dig.out.good || ret=1
grep "status: NOERROR" dig.out.good >/dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.good >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
# Check the bad. domain
echo_i "checking that validation with no supported digest types and must-be-secure results in SERVFAIL"
ret=0
$DIG $DIGOPTS a.bad. @10.53.0.3 a > dig.out.bad || ret=1
grep "SERVFAIL" dig.out.bad > /dev/null || ret=1
$DIG $DIGOPTS a.bad. @10.53.0.3 a >dig.out.bad || ret=1
grep "SERVFAIL" dig.out.bad >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking that validation with no supported digest algorithms results in insecure"
ret=0
$DIG $DIGOPTS bad. @10.53.0.4 ds > dig.out.ds || ret=1
grep "NOERROR" dig.out.ds > /dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ds > /dev/null || ret=1
$DIG $DIGOPTS a.bad. @10.53.0.4 a > dig.out.insecure || ret=1
grep "NOERROR" dig.out.insecure > /dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.insecure > /dev/null && ret=1
$DIG $DIGOPTS bad. @10.53.0.4 ds >dig.out.ds || ret=1
grep "NOERROR" dig.out.ds >/dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ds >/dev/null || ret=1
$DIG $DIGOPTS a.bad. @10.53.0.4 a >dig.out.insecure || ret=1
grep "NOERROR" dig.out.insecure >/dev/null || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.insecure >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

51
bin/tests/system/dupsigs/ns1/reset_keys.sh
View file

@ -19,32 +19,31 @@ rm -rf keys/signing.test
mkdir -p keys/signing.test
timetodnssec() {
$PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]);
$PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]);
printf("%04u%02u%02u%02u%02u%02u\n", $y+1900,$m+1,$d,$H,$M,$S);' ${1}
}
KEYDIR=keys/signing.test
KSK=`$KEYGEN -a RSASHA256 -K $KEYDIR -q -f KSK $zone`
KSK=$($KEYGEN -a RSASHA256 -K $KEYDIR -q -f KSK $zone)
ZSK0=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
ZSK1=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
ZSK2=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
ZSK3=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
ZSK4=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
ZSK5=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
ZSK6=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
ZSK7=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
ZSK8=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
ZSK9=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
ZSK0=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK1=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK2=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK3=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK4=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK5=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK6=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK7=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK8=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK9=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
# clear all times on all keys
for FILEN in keys/signing.test/*.key
do
$SETTIME -P none -A none -R none -I none -D none $FILEN
for FILEN in keys/signing.test/*.key; do
$SETTIME -P none -A none -R none -I none -D none $FILEN
done
BASE=`date +%s`
BASET=`timetodnssec $BASE`
BASE=$(date +%s)
BASET=$(timetodnssec $BASE)
# reset the publish and activation time on the KSK
$SETTIME -P $BASET -A $BASET $KEYDIR/$KSK
@ -53,25 +52,25 @@ $SETTIME -P $BASET -A $BASET $KEYDIR/$KSK
$SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0
# schedule the first roll
R1=`expr $BASE + 50`
R1T=`timetodnssec $R1`
R1=$(expr $BASE + 50)
R1T=$(timetodnssec $R1)
$SETTIME -I $R1T $KEYDIR/$ZSK0
$SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1
# schedule the second roll (which includes the delete of the first key)
R2=`expr $R1 + 50`
R2T=`timetodnssec $R2`
R2=$(expr $R1 + 50)
R2T=$(timetodnssec $R2)
DT=$R2
DTT=`timetodnssec $DT`
DTT=$(timetodnssec $DT)
$SETTIME -D $DTT $KEYDIR/$ZSK0
$SETTIME -I $R2T $KEYDIR/$ZSK1
$SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2
# schedule the third roll
R3=`expr $R2 + 25`
R3T=`timetodnssec $R3`
R3=$(expr $R2 + 25)
R3T=$(timetodnssec $R3)
$SETTIME -D $R3T $KEYDIR/$ZSK1
$SETTIME -I $R3T $KEYDIR/$ZSK2
@ -92,8 +91,8 @@ exit
# this isn't long enough for the signing to complete and would result in
# duplicate signatures, see
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597
R4=`expr $R3 + 10`
R4T=`timetodnssec $R4`
R4=$(expr $R3 + 10)
R4T=$(timetodnssec $R4)
$SETTIME -D $R4T $KEYDIR/$ZSK2
$SETTIME -I $R4T $KEYDIR/$ZSK3

5
bin/tests/system/dupsigs/setup.sh
View file

@ -21,4 +21,7 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
copy_setports ns1/named.conf.in ns1/named.conf
cp -f ns1/signing.test.db.in ns1/signing.test.db
(cd ns1; $SHELL ./reset_keys.sh)
(
cd ns1
$SHELL ./reset_keys.sh
)

41
bin/tests/system/dupsigs/tests.sh
View file

@ -25,20 +25,20 @@ status=0
# - 2 x 500 signatures for a{0000-0499}.signing.test.
#
# for a total of 1009.
fully_signed () {
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr"
awk 'BEGIN { lines = 0 }
fully_signed() {
$DIG axfr signing.test -p ${PORT} @10.53.0.1 >"dig.out.ns1.axfr"
awk 'BEGIN { lines = 0 }
$4 == "RRSIG" {lines++}
END { if (lines != 1009) exit(1) }' < "dig.out.ns1.axfr"
END { if (lines != 1009) exit(1) }' <"dig.out.ns1.axfr"
}
# Wait for the last NSEC record in the zone to be signed. This is a lightweight
# alternative to avoid many AXFR requests while waiting for the zone to be
# fully signed.
_wait_for_last_nsec_signed() {
$DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1
grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1
return 0
$DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec >"dig.out.ns1.wait" || return 1
grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" >/dev/null || return 1
return 0
}
echo_i "wait for the zone to be fully signed"
@ -46,24 +46,23 @@ retry_quiet 60 _wait_for_last_nsec_signed
retry_quiet 10 fully_signed || status=1
if [ $status != 0 ]; then echo_i "failed"; fi
start=`date +%s`
start=$(date +%s)
now=$start
end=$((start + 140))
while [ $now -lt $end ] && [ $status -eq 0 ]; do
et=$((now - start))
echo_i "............... $et ............"
$JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i
lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l`
if [ ${et} -ne 0 -a ${lines} -ne 1009 ]
then
echo_i "failed"
status=$((status + 1))
fi
sleep 5
now=`date +%s`
et=$((now - start))
echo_i "............... $et ............"
$JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i
$DIG axfr signing.test -p ${PORT} @10.53.0.1 >dig.out.at$et
awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i
lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l)
if [ ${et} -ne 0 -a ${lines} -ne 1009 ]; then
echo_i "failed"
status=$((status + 1))
fi
sleep 5
now=$(date +%s)
done
echo_i "exit status: $status"

12
bin/tests/system/dyndb/prereq.sh
View file

@ -14,14 +14,14 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$FEATURETEST --have-dlopen || {
echo_i "dlopen() not supported - skipping dyndb test"
exit 255
$FEATURETEST --have-dlopen || {
echo_i "dlopen() not supported - skipping dyndb test"
exit 255
}
$FEATURETEST --tsan && {
echo_i "TSAN - skipping dyndb test"
exit 255
$FEATURETEST --tsan && {
echo_i "TSAN - skipping dyndb test"
exit 255
}
exit 0

162
bin/tests/system/dyndb/tests.sh
View file

@ -21,145 +21,143 @@ DIGOPTS="@10.53.0.1 -p ${PORT}"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
newtest() {
n=`expr $n + 1`
echo_i "${1} (${n})"
ret=0
n=$(expr $n + 1)
echo_i "${1} (${n})"
ret=0
}
test_add() {
host="$1"
type="$2"
ip="$3"
host="$1"
type="$2"
ip="$3"
cat <<EOF > ns1/update.txt
cat <<EOF >ns1/update.txt
server 10.53.0.1 ${PORT}
ttl 86400
update add $host $type $ip
send
EOF
newtest "adding $host $type $ip"
$NSUPDATE ns1/update.txt > /dev/null 2>&1 || {
[ "$should_fail" ] || \
echo_i "update failed for $host $type $ip"
return 1
}
newtest "adding $host $type $ip"
$NSUPDATE ns1/update.txt >/dev/null 2>&1 || {
[ "$should_fail" ] \
|| echo_i "update failed for $host $type $ip"
return 1
}
out=`$DIG $DIGOPTS +noall +answer -t $type -q $host`
echo $out > added.a.out.$n
lines=`echo "$out" | grep "$ip" | wc -l`
[ $lines -eq 1 ] || {
[ "$should_fail" ] || \
echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
out=$($DIG $DIGOPTS +noall +answer -t $type -q $host)
echo $out >added.a.out.$n
lines=$(echo "$out" | grep "$ip" | wc -l)
[ $lines -eq 1 ] || {
[ "$should_fail" ] \
|| echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10
do
out=`$DIG $DIGOPTS +noall +answer -x $ip`
echo $out > added.ptr.out.$n
lines=`echo "$out" | grep "$host" | wc -l`
[ $lines -eq 1 ] && break;
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 1 ] || {
[ "$should_fail" ] || \
echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10; do
out=$($DIG $DIGOPTS +noall +answer -x $ip)
echo $out >added.ptr.out.$n
lines=$(echo "$out" | grep "$host" | wc -l)
[ $lines -eq 1 ] && break
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 1 ] || {
[ "$should_fail" ] \
|| echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
return 0
return 0
}
test_del() {
host="$1"
type="$2"
host="$1"
type="$2"
ip=`$DIG $DIGOPTS +short $host $type`
ip=$($DIG $DIGOPTS +short $host $type)
cat <<EOF > ns1/update.txt
cat <<EOF >ns1/update.txt
server 10.53.0.1 ${PORT}
update del $host $type
send
EOF
newtest "deleting $host $type (was $ip)"
$NSUPDATE ns1/update.txt > /dev/null 2>&1 || {
[ "$should_fail" ] || \
echo_i "update failed deleting $host $type"
return 1
}
newtest "deleting $host $type (was $ip)"
$NSUPDATE ns1/update.txt >/dev/null 2>&1 || {
[ "$should_fail" ] \
|| echo_i "update failed deleting $host $type"
return 1
}
out=`$DIG $DIGOPTS +noall +answer -t $type -q $host`
echo $out > deleted.a.out.$n
lines=`echo "$out" | grep "$ip" | wc -l`
[ $lines -eq 0 ] || {
[ "$should_fail" ] || \
echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
out=$($DIG $DIGOPTS +noall +answer -t $type -q $host)
echo $out >deleted.a.out.$n
lines=$(echo "$out" | grep "$ip" | wc -l)
[ $lines -eq 0 ] || {
[ "$should_fail" ] \
|| echo_i "dig output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10
do
out=`$DIG $DIGOPTS +noall +answer -x $ip`
echo $out > deleted.ptr.out.$n
lines=`echo "$out" | grep "$host" | wc -l`
[ $lines -eq 0 ] && break
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 0 ] || {
[ "$should_fail" ] || \
echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
for i in 1 2 3 4 5 6 7 8 9 10; do
out=$($DIG $DIGOPTS +noall +answer -x $ip)
echo $out >deleted.ptr.out.$n
lines=$(echo "$out" | grep "$host" | wc -l)
[ $lines -eq 0 ] && break
$PERL -e 'select(undef, undef, undef, 0.1);'
done
[ $lines -eq 0 ] || {
[ "$should_fail" ] \
|| echo_i "dig reverse output incorrect for $host $type $cmd: $out"
return 1
}
return 0
return 0
}
test_add test1.ipv4.example.nil. A "10.53.0.10" || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_add test2.ipv4.example.nil. A "10.53.0.11" || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_add test3.ipv4.example.nil. A "10.53.0.12" || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_add test4.ipv6.example.nil. AAAA "2001:db8::1" || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_del test1.ipv4.example.nil. A || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_del test2.ipv4.example.nil. A || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_del test3.ipv4.example.nil. A || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_del test4.ipv6.example.nil. AAAA || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
newtest "checking parameter logging"
grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run > /dev/null || ret=1
grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run > /dev/null || ret=1
grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run >/dev/null || ret=1
grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run >/dev/null || ret=1
[ $ret -eq 1 ] && echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "checking dyndb still works after reload"
rndc_reload ns1 10.53.0.1
test_add test5.ipv4.example.nil. A "10.53.0.10" || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_add test6.ipv6.example.nil. AAAA "2001:db8::1" || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_del test5.ipv4.example.nil. A || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
test_del test6.ipv6.example.nil. AAAA || ret=1
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

34
bin/tests/system/ecdsa/ns1/sign.sh
View file

@ -23,34 +23,34 @@ echo_i "ns1/sign.sh"
cp $infile $zonefile
if [ -f ../ecdsa256-supported.file ]; then
zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
cat "$ksk256.key" "$zsk256.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256
zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
cat "$ksk256.key" "$zsk256.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk256.key" >>dsset-256
fi
if [ -f ../ecdsa384-supported.file ]; then
zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
cat "$ksk384.key" "$zsk384.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256
zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
cat "$ksk384.key" "$zsk384.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk384.key" >>dsset-256
fi
# Configure the resolving server with a static key.
if [ -f ../ecdsa256-supported.file ]; then
keyfile_to_static_ds $ksk256 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk256 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
keyfile_to_static_ds $ksk384 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk384 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
fi
if [ -f ../ecdsa384-supported.file ]; then
keyfile_to_static_ds $ksk384 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk384 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
else
keyfile_to_static_ds $ksk256 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk256 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
fi
$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

8
bin/tests/system/ecdsa/setup.sh
View file

@ -17,17 +17,17 @@ SYSTEMTESTTOP=..
set -e
if $SHELL ../testcrypto.sh ecdsap256sha256; then
echo "yes" > ecdsa256-supported.file
echo "yes" >ecdsa256-supported.file
fi
if $SHELL ../testcrypto.sh ecdsap384sha384; then
echo "yes" > ecdsa384-supported.file
echo "yes" >ecdsa384-supported.file
fi
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
(
cd ns1
$SHELL sign.sh
cd ns1
$SHELL sign.sh
)

42
bin/tests/system/ecdsa/tests.sh
View file

@ -18,35 +18,35 @@ status=0
n=0
dig_with_opts() {
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
if [ -f ecdsa256-supported.file ]; then
n=$((n+1))
echo_i "checking that ECDSA256 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking that ECDSA256 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm ECDSA256 not supported, skipping test"
echo_i "algorithm ECDSA256 not supported, skipping test"
fi
if [ -f ecdsa384-supported.file ]; then
n=$((n+1))
echo_i "checking that ECDSA384 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking that ECDSA384 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm ECDSA384 not supported, skipping test"
echo_i "algorithm ECDSA384 not supported, skipping test"
fi
echo_i "exit status: $status"

34
bin/tests/system/eddsa/ns1/sign.sh
View file

@ -23,34 +23,34 @@ echo_i "ns1/sign.sh"
cp $infile $zonefile
if [ -f ../ed25519-supported.file ]; then
zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256
zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
cat "$ksk25519.key" "$zsk25519.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk25519.key" >>dsset-256
fi
if [ -f ../ed448-supported.file ]; then
zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
cat "$ksk448.key" "$zsk448.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256
zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
cat "$ksk448.key" "$zsk448.key" >>"$zonefile"
$DSFROMKEY -a sha-256 "$ksk448.key" >>dsset-256
fi
# Configure the resolving server with a static key.
if [ -f ../ed25519-supported.file ]; then
keyfile_to_static_ds $ksk25519 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk25519 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
keyfile_to_static_ds $ksk448 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
keyfile_to_static_ds $ksk448 >trusted.conf
cp trusted.conf ../ns2/trusted.conf
fi
if [ -f ../ed448-supported.file ]; then
keyfile_to_static_ds $ksk448 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk448 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
else
keyfile_to_static_ds $ksk25519 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
keyfile_to_static_ds $ksk25519 >trusted.conf
cp trusted.conf ../ns3/trusted.conf
fi
$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

13
bin/tests/system/eddsa/ns2/sign.sh
View file

@ -26,12 +26,11 @@ cp $infile $zonefile
if [ -f ../ed25519-supported.file ]; then
for i in Xexample.com.+015+03613 Xexample.com.+015+35217
do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile"
done
for i in Xexample.com.+015+03613 Xexample.com.+015+35217; do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile"
done
fi
$SIGNER -P -z -s $starttime -e $endtime -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -z -s $starttime -e $endtime -o $zone $zonefile >/dev/null 2>signer.err || cat signer.err

13
bin/tests/system/eddsa/ns3/sign.sh
View file

@ -25,12 +25,11 @@ echo_i "ns3/sign.sh"
cp $infile $zonefile
if [ -f ../ed448-supported.file ]; then
for i in Xexample.com.+016+09713 Xexample.com.+016+38353
do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile"
done
for i in Xexample.com.+016+09713 Xexample.com.+016+38353; do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile"
done
fi
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err

4
bin/tests/system/eddsa/prereq.sh
View file

@ -16,10 +16,10 @@ SYSTEMTESTTOP=..
supported=0
if $SHELL ../testcrypto.sh ed25519; then
supported=1
supported=1
fi
if $SHELL ../testcrypto.sh ed448; then
supported=1
supported=1
fi
[ "$supported" -eq 1 ] || exit 1

16
bin/tests/system/eddsa/setup.sh
View file

@ -15,11 +15,11 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if $SHELL ../testcrypto.sh ed25519; then
echo "yes" > ed25519-supported.file
echo "yes" >ed25519-supported.file
fi
if $SHELL ../testcrypto.sh ed448; then
echo "yes" > ed448-supported.file
echo "yes" >ed448-supported.file
fi
copy_setports ns1/named.conf.in ns1/named.conf
@ -27,14 +27,14 @@ copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
(
cd ns1
$SHELL sign.sh
cd ns1
$SHELL sign.sh
)
(
cd ns2
$SHELL sign.sh
cd ns2
$SHELL sign.sh
)
(
cd ns3
$SHELL sign.sh
cd ns3
$SHELL sign.sh
)

98
bin/tests/system/eddsa/tests.sh
View file

@ -18,66 +18,66 @@ status=0
n=0
dig_with_opts() {
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
if [ -f ed25519-supported.file ]; then
# Check the example. domain
n=$((n+1))
echo_i "checking that Ed25519 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check the example. domain
n=$((n + 1))
echo_i "checking that Ed25519 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# Check test vectors (RFC 8080 + errata)
n=$((n+1))
echo_i "checking that Ed25519 test vectors match ($n)"
ret=0
grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1
grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1
grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1
grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check test vectors (RFC 8080 + errata)
n=$((n + 1))
echo_i "checking that Ed25519 test vectors match ($n)"
ret=0
grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed >/dev/null || ret=1
grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed >/dev/null || ret=1
grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed >/dev/null || ret=1
grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm Ed25519 not supported, skipping vectors match test"
echo_i "algorithm Ed25519 not supported, skipping vectors match test"
fi
if [ -f ed448-supported.file ]; then
# Check the example. domain
n=$((n+1))
echo_i "checking that Ed448 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check the example. domain
n=$((n + 1))
echo_i "checking that Ed448 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# Check test vectors (RFC 8080 + errata)
n=$((n+1))
echo_i "checking that Ed448 test vectors match ($n)"
ret=0
grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1
grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1
grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1
grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1
grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1
# Check test vectors (RFC 8080 + errata)
n=$((n + 1))
echo_i "checking that Ed448 test vectors match ($n)"
ret=0
grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed >/dev/null || ret=1
grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed >/dev/null || ret=1
grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed >/dev/null || ret=1
grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed >/dev/null || ret=1
grep 'WKsJlwEA' ns3/example.com.db.signed >/dev/null || ret=1
grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1
grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1
grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1
grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1
grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed >/dev/null || ret=1
grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed >/dev/null || ret=1
grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed >/dev/null || ret=1
grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed >/dev/null || ret=1
grep 'ZmQ0YQUA' ns3/example.com.db.signed >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
else
echo_i "algorithm Ed448 not supported, skipping vectors match test"
echo_i "algorithm Ed448 not supported, skipping vectors match test"
fi
echo_i "exit status: $status"

181
bin/tests/system/ednscompliance/tests.sh
View file

@ -20,94 +20,169 @@ status=0
n=0
zone=.
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check +edns=100 sets version 100 ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone > dig.out$n
grep "EDNS: version: 100," dig.out$n > /dev/null || { ret=1; reason="version"; }
$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone >dig.out$n
grep "EDNS: version: 100," dig.out$n >/dev/null || {
ret=1
reason="version"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
ret=0 reason=
echo_i "check +ednsopt=100 adds option 100 ($n)"
$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone > dig.out$n
grep "; OPT=100" dig.out$n > /dev/null || { ret=1; reason="option"; }
$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone >dig.out$n
grep "; OPT=100" dig.out$n >/dev/null || {
ret=1
reason="option"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check +ednsflags=0x80 sets flags to 0x0080 ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone > dig.out$n
grep "MBZ: 0x0080," dig.out$n > /dev/null || { ret=1; reason="flags"; }
$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone >dig.out$n
grep "MBZ: 0x0080," dig.out$n >/dev/null || {
ret=1
reason="flags"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "Unknown EDNS version ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone > dig.out$n
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone >dig.out$n
grep "status: BADVERS," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "IN.SOA." dig.out$n >/dev/null && {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "Unknown EDNS option ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone > dig.out$n
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; }
grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; }
$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone >dig.out$n
grep "status: NOERROR," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "; OPT=100" dig.out$n >/dev/null && {
ret=1
reason="option"
}
grep "IN.SOA." dig.out$n >/dev/null || {
ret=1
reason="nosoa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "Unknown EDNS version + option ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone > dig.out$n
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone >dig.out$n
grep "status: BADVERS," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "; OPT=100" dig.out$n >/dev/null && {
ret=1
reason="option"
}
grep "IN.SOA." dig.out$n >/dev/null && {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed: $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
echo_i "Unknown EDNS flag ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone > dig.out$n
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; }
grep ".IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; }
$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone >dig.out$n
grep "status: NOERROR," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && {
ret=1
reason="mbz"
}
grep ".IN.SOA." dig.out$n >/dev/null || {
ret=1
reason="nosoa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "Unknown EDNS version + flag ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone > dig.out$n
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone >dig.out$n
grep "status: BADVERS," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && {
ret=1
reason="mbz"
}
grep "IN.SOA." dig.out$n >/dev/null && {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
echo_i "DiG's EDNS negotiation ($n)"
ret=0 reason=
$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone > dig.out$n
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="soa"; }
$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone >dig.out$n
grep "status: NOERROR," dig.out$n >/dev/null || {
ret=1
reason="status"
}
grep "EDNS: version: 0," dig.out$n >/dev/null || {
ret=1
reason="version"
}
grep "IN.SOA." dig.out$n >/dev/null || {
ret=1
reason="soa"
}
if [ $ret != 0 ]; then echo_i "failed $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
status=$(expr $status + $ret)
n=$(expr $n + 1)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

16
bin/tests/system/emptyzones/tests.sh
View file

@ -20,26 +20,26 @@ RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
status=0
n=0
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that switching to automatic empty zones works ($n)"
ret=0
rndc_reload ns1 10.53.0.1
copy_setports ns1/named2.conf.in ns1/named.conf
$RNDCCMD 10.53.0.1 reload > /dev/null || ret=1
$RNDCCMD 10.53.0.1 reload >/dev/null || ret=1
sleep 5
$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 > /dev/null || ret=1
$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "check that allow-transfer { none; } works ($n)"
ret=0
$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all > dig.out.test$n || ret=1
grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all >dig.out.test$n || ret=1
grep "status: REFUSED" dig.out.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

9
bin/tests/system/fetchlimit/prereq.sh
View file

@ -14,10 +14,9 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if $PERL -e 'use Net::DNS;' 2>/dev/null
then
:
if $PERL -e 'use Net::DNS;' 2>/dev/null; then
:
else
echo_i "This test requires the Net::DNS library." >&2
exit 1
echo_i "This test requires the Net::DNS library." >&2
exit 1
fi

155
bin/tests/system/fetchlimit/tests.sh
View file

@ -18,24 +18,24 @@ DIGCMD="$DIG @10.53.0.3 -p ${PORT} +tcp +tries=1 +time=1"
RNDCCMD="$RNDC -p ${CONTROLPORT} -s 10.53.0.3 -c ../common/rndc.conf"
burst() {
num=${3:-20}
rm -f burst.input.$$
while [ $num -gt 0 ]; do
num=$((num-1))
echo "${num}${1}${2}.lamesub.example A" >> burst.input.$$
done
$PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$
rm -f burst.input.$$
num=${3:-20}
rm -f burst.input.$$
while [ $num -gt 0 ]; do
num=$((num - 1))
echo "${num}${1}${2}.lamesub.example A" >>burst.input.$$
done
$PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$
rm -f burst.input.$$
}
stat() {
clients=`$RNDCCMD status | grep "recursive clients" |
sed 's;.*: \([^/][^/]*\)/.*;\1;'`
echo_i "clients: $clients"
[ "$clients" = "" ] && return 1
[ "$clients" -ge $1 ] || return 1
[ "$clients" -le $2 ] || return 1
return 0
clients=$($RNDCCMD status | grep "recursive clients" \
| sed 's;.*: \([^/][^/]*\)/.*;\1;')
echo_i "clients: $clients"
[ "$clients" = "" ] && return 1
[ "$clients" -ge $1 ] || return 1
[ "$clients" -le $2 ] || return 1
return 0
}
status=0
@ -46,21 +46,21 @@ ret=0
$RNDCCMD flush
touch ans4/norespond
for try in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
burst a $try
# fetches-per-server is at 400, but at 20qps against a lame server,
# we'll reach 200 at the tenth second, and the quota should have been
# tuned to less than that by then.
[ $try -le 5 ] && low=$((try*10))
stat 20 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
burst a $try
# fetches-per-server is at 400, but at 20qps against a lame server,
# we'll reach 200 at the tenth second, and the quota should have been
# tuned to less than that by then.
[ $try -le 5 ] && low=$((try * 10))
stat 20 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "dumping ADB data"
$RNDCCMD dumpdb -adb
info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'`
info=$(grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/')
echo_i $info
set -- $info
quota=$5
@ -71,51 +71,51 @@ ret=0
rm -f ns3/named.stats
$RNDCCMD stats
for try in 1 2 3 4 5; do
[ -f ns3/named.stats ] && break
sleep 1
[ -f ns3/named.stats ] && break
sleep 1
done
sspill=`grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/'`
sspill=$(grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/')
[ -z "$sspill" ] && sspill=0
fails=`grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'`
fails=$(grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/')
[ -z "$fails" ] && fails=0
[ "$fails" -ge "$sspill" ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking lame server recovery"
ret=0
rm -f ans4/norespond
for try in 1 2 3 4 5; do
burst b $try
stat 0 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
burst b $try
stat 0 200 || ret=1
[ $ret -eq 1 ] && break
sleep 1
done
echo_i "dumping ADB data"
$RNDCCMD dumpdb -adb
info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'`
info=$(grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/')
echo_i $info
set -- $info
[ ${5:-${quota}} -lt $quota ] || ret=1
quota=$5
for try in 1 2 3 4 5 6 7 8 9 10; do
burst c $try
stat 0 20 || ret=1
[ $ret -eq 1 ] && break
sleep 1
burst c $try
stat 0 20 || ret=1
[ $ret -eq 1 ] && break
sleep 1
done
echo_i "dumping ADB data"
$RNDCCMD dumpdb -adb
info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'`
info=$(grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/')
echo_i $info
set -- $info
[ ${5:-${quota}} -gt $quota ] || ret=1
quota=$5
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
copy_setports ns3/named2.conf.in ns3/named.conf
rndc_reconfig ns3 10.53.0.3
@ -126,35 +126,35 @@ fail=0
success=0
touch ans4/norespond
for try in 1 2 3 4 5; do
burst b $try 300
$DIGCMD a ${try}.example > dig.out.ns3.$try
grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \
success=$((success+1))
grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \
fail=$(($fail+1))
stat 30 50 || ret=1
[ $ret -eq 1 ] && break
$RNDCCMD recursing 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
burst b $try 300
$DIGCMD a ${try}.example >dig.out.ns3.$try
grep "status: NOERROR" dig.out.ns3.$try >/dev/null 2>&1 \
&& success=$((success + 1))
grep "status: SERVFAIL" dig.out.ns3.$try >/dev/null 2>&1 \
&& fail=$(($fail + 1))
stat 30 50 || ret=1
[ $ret -eq 1 ] && break
$RNDCCMD recursing 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
done
echo_i "$success successful valid queries, $fail SERVFAIL"
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking drop statistics"
rm -f ns3/named.stats
$RNDCCMD stats
for try in 1 2 3 4 5; do
[ -f ns3/named.stats ] && break
sleep 1
[ -f ns3/named.stats ] && break
sleep 1
done
zspill=`grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/'`
zspill=$(grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/')
[ -z "$zspill" ] && zspill=0
drops=`grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'`
drops=$(grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/')
[ -z "$drops" ] && drops=0
[ "$drops" -ge "$zspill" ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
copy_setports ns3/named3.conf.in ns3/named.conf
rndc_reconfig ns3 10.53.0.3
@ -166,35 +166,44 @@ exceeded=0
success=0
touch ans4/norespond
for try in 1 2 3 4 5; do
burst b $try 400
$DIGCMD +time=2 a ${try}.example > dig.out.ns3.$try
stat 100 400 || exceeded=$((exceeded + 1))
grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \
success=$((success+1))
grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \
fail=$(($fail+1))
sleep 1
burst b $try 400
$DIGCMD +time=2 a ${try}.example >dig.out.ns3.$try
stat 100 400 || exceeded=$((exceeded + 1))
grep "status: NOERROR" dig.out.ns3.$try >/dev/null 2>&1 \
&& success=$((success + 1))
grep "status: SERVFAIL" dig.out.ns3.$try >/dev/null 2>&1 \
&& fail=$(($fail + 1))
sleep 1
done
echo_i "$success successful valid queries (expected 5)"
[ "$success" -eq 5 ] || { echo_i "failed"; ret=1; }
[ "$success" -eq 5 ] || {
echo_i "failed"
ret=1
}
echo_i "$fail SERVFAIL responses (expected 0)"
[ "$fail" -eq 0 ] || { echo_i "failed"; ret=1; }
[ "$fail" -eq 0 ] || {
echo_i "failed"
ret=1
}
echo_i "clients count exceeded 400 on $exceeded trials (expected 0)"
[ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; }
[ "$exceeded" -eq 0 ] || {
echo_i "failed"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "checking drop statistics"
rm -f ns3/named.stats
$RNDCCMD stats
for try in 1 2 3 4 5; do
[ -f ns3/named.stats ] && break
sleep 1
[ -f ns3/named.stats ] && break
sleep 1
done
drops=`grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'`
drops=$(grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/')
[ "${drops:-0}" -ne 0 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

10
bin/tests/system/filter-aaaa/ns1/sign.sh
View file

@ -21,15 +21,15 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i
keyname=`cat keygen.out`
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >keygen.out | cat_i
keyname=$(cat keygen.out)
rm -f keygen.out
keyfile_to_static_ds $keyname > trusted.conf
keyfile_to_static_ds $keyname >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns5/trusted.conf
$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err
$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err
echo_i "signed zone '$zone'"

6
bin/tests/system/filter-aaaa/ns4/sign.sh
View file

@ -21,8 +21,8 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i
$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err
$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err
echo_i "signed zone '$zone'"

10
bin/tests/system/filter-aaaa/prereq.sh
View file

@ -14,14 +14,14 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$FEATURETEST --have-dlopen || {
echo_i "dlopen() not supported - skipping filter-aaaa test"
exit 255
$FEATURETEST --have-dlopen || {
echo_i "dlopen() not supported - skipping filter-aaaa test"
exit 255
}
$FEATURETEST --tsan && {
echo_i "TSAN - skipping dlzexternal test"
exit 255
echo_i "TSAN - skipping dlzexternal test"
exit 255
}
exit 0

1543
bin/tests/system/filter-aaaa/tests.sh
View file

File diff suppressed because it is too large Load diff

6
bin/tests/system/formerr/clean.sh
View file

@ -11,9 +11,9 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
rm -f nametoolong.out
rm -f twoquestions.out
rm -f noquestions.out
rm -f nametoolong.out
rm -f twoquestions.out
rm -f noquestions.out
rm -f ns*/named.conf
rm -f ns*/named.lock
rm -f ns*/named.run

30
bin/tests/system/formerr/tests.sh
View file

@ -17,29 +17,29 @@ SYSTEMTESTTOP=..
status=0
echo_i "test name too long"
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong > nametoolong.out
ans=`grep got: nametoolong.out`
if [ "${ans}" != "got: 000080010000000000000000" ];
then
echo_i "failed"; status=`expr $status + 1`;
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong >nametoolong.out
ans=$(grep got: nametoolong.out)
if [ "${ans}" != "got: 000080010000000000000000" ]; then
echo_i "failed"
status=$(expr $status + 1)
fi
echo_i "two questions"
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions > twoquestions.out
ans=`grep got: twoquestions.out`
if [ "${ans}" != "got: 000080010000000000000000" ];
then
echo_i "failed"; status=`expr $status + 1`;
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions >twoquestions.out
ans=$(grep got: twoquestions.out)
if [ "${ans}" != "got: 000080010000000000000000" ]; then
echo_i "failed"
status=$(expr $status + 1)
fi
# this would be NOERROR if it included a COOKIE option,
# but is a FORMERR without one.
echo_i "empty question section (and no COOKIE option)"
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions > noquestions.out
ans=`grep got: noquestions.out`
if [ "${ans}" != "got: 000080010000000000000000" ];
then
echo_i "failed"; status=`expr $status + 1`;
$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions >noquestions.out
ans=$(grep got: noquestions.out)
if [ "${ans}" != "got: 000080010000000000000000" ]; then
echo_i "failed"
status=$(expr $status + 1)
fi
echo_i "exit status: $status"

6
bin/tests/system/forward/ns1/sign.sh
View file

@ -25,10 +25,10 @@ echo_i "ns1/sign.sh"
ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1
# Configure the resolving server with a static key.
keyfile_to_static_ds "$ksk" > trusted.conf
keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns3/trusted.conf

29
bin/tests/system/forward/prereq.sh
View file

@ -14,24 +14,21 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if $PERL -e 'use Net::DNS;' 2>/dev/null
then
:
if $PERL -e 'use Net::DNS;' 2>/dev/null; then
:
else
echo_i "This test requires the Net::DNS library." >&2
exit 1
echo_i "This test requires the Net::DNS library." >&2
exit 1
fi
if test -n "$PYTHON"
then
if $PYTHON -c "import dns" 2> /dev/null
then
:
else
echo_i "This test requires the dnspython module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
if test -n "$PYTHON"; then
if $PYTHON -c "import dns" 2>/dev/null; then
:
else
echo_i "This test requires the dnspython module." >&2
exit 1
fi
else
echo_i "This test requires Python and the dnspython module." >&2
exit 1
fi

4
bin/tests/system/forward/setup.sh
View file

@ -25,6 +25,6 @@ copy_setports ns9/named1.conf.in ns9/named.conf
copy_setports ns10/named.conf.in ns10/named.conf
(
cd ns1
$SHELL sign.sh
cd ns1
$SHELL sign.sh
)

304
bin/tests/system/forward/tests.sh
View file

@ -16,15 +16,15 @@ SYSTEMTESTTOP=..
. "$SYSTEMTESTTOP/conf.sh"
dig_with_opts() (
"$DIG" -p "$PORT" "$@"
"$DIG" -p "$PORT" "$@"
)
sendcmd() (
"$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1"
"$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1"
)
rndccmd() {
"$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
"$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
}
root=10.53.0.1
@ -35,156 +35,156 @@ f2=10.53.0.4
status=0
n=0
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward zone overrides global forwarders ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward first zone no forwarders recurses ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.root dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward only zone no forwarders fails ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.root dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that global forwarders work ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$f1 >dig.out.$n.f1 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward zone works ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that forwarding doesn't spontaneously happen ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f2 > dig.out.$n.f2 || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1
dig_with_opts +noadd +noauth txt.example2. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.root dig.out.$n.f2 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward zone with no specified policy works ($n)"
ret=0
dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1
dig_with_opts +noadd +noauth txt.example3. txt @$hidden >dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example3. txt @$f2 >dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forward only doesn't recurse ($n)"
ret=0
dig_with_opts txt.example5. txt @$f2 > dig.out.$n.f2 || ret=1
grep "SERVFAIL" dig.out.$n.f2 > /dev/null || ret=1
dig_with_opts txt.example5. txt @$f2 >dig.out.$n.f2 || ret=1
grep "SERVFAIL" dig.out.$n.f2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking for negative caching of forwarder response ($n)"
# prime the cache, shutdown the forwarder then check that we can
# get the answer from the cache. restart forwarder.
ret=0
dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1
dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1
stop_server ns4 || ret=1
dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1
dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1
grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1
start_server --restart --noclean --port "${PORT}" ns4 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
check_override() (
dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 &&
grep "status: NOERROR" dig.out.$n.f2 > /dev/null &&
dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 &&
grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null
dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 >dig.out.$n.f2 \
&& grep "status: NOERROR" dig.out.$n.f2 >/dev/null \
&& dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 >dig.out.$n.f2 \
&& grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null
)
n=$((n+1))
n=$((n + 1))
echo_i "checking that forward only zone overrides empty zone ($n)"
ret=0
# retry loop in case the server restart above causes transient failure
retry_quiet 10 check_override || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that DS lookups for grafting forward zones are isolated ($n)"
ret=0
dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q1 || ret=1
dig_with_opts grafted DS @10.53.0.4 > dig.out.$n.q2 || ret=1
dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q3 || ret=1
dig_with_opts grafted AAAA @10.53.0.4 > dig.out.$n.q4 || ret=1
grep "status: NOERROR" dig.out.$n.q1 > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.q2 > /dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q3 > /dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q4 > /dev/null || ret=1
dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q1 || ret=1
dig_with_opts grafted DS @10.53.0.4 >dig.out.$n.q2 || ret=1
dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q3 || ret=1
dig_with_opts grafted AAAA @10.53.0.4 >dig.out.$n.q4 || ret=1
grep "status: NOERROR" dig.out.$n.q1 >/dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.q2 >/dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q3 >/dev/null || ret=1
grep "status: NOERROR" dig.out.$n.q4 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that rfc1918 inherited 'forward first;' zones are warned about ($n)"
ret=0
$CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1
$CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that ULA inherited 'forward first;' zones are warned about ($n)"
ret=0
$CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1
$CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
count_sent() (
logfile="$1"
start_pattern="$2"
pattern="$3"
nextpartpeek "$logfile" | tr -d '\r' | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern"
logfile="$1"
start_pattern="$2"
pattern="$3"
nextpartpeek "$logfile" | tr -d '\r' | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern"
)
check_sent() (
expected="$1"
shift
count=$(count_sent "$@")
[ "$expected" = "$count" ]
expected="$1"
shift
count=$(count_sent "$@")
[ "$expected" = "$count" ]
)
wait_for_log() (
nextpartpeek "$1" | grep "$2" >/dev/null
nextpartpeek "$1" | grep "$2" >/dev/null
)
n=$((n+1))
n=$((n + 1))
echo_i "checking that a forwarder timeout prevents it from being reused in the same fetch context ($n)"
ret=0
# Make ans6 receive queries without responding to them.
@ -194,19 +194,19 @@ echo "//" | sendcmd
# when a delegation is encountered after falling back to full recursive
# resolution.
nextpart ns3/named.run >/dev/null
dig_with_opts txt.example7. txt @$f1 > dig.out.$n.f1 || ret=1
dig_with_opts txt.example7. txt @$f1 >dig.out.$n.f1 || ret=1
# The forwarder for the "example7" zone should only be queried once.
start_pattern="sending packet to 10\.53\.0\.6"
retry_quiet 5 wait_for_log ns3/named.run "$start_pattern"
check_sent 1 ns3/named.run "$start_pattern" ";txt\.example7\.[[:space:]]*IN[[:space:]]*TXT$" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that priming queries are not forwarded ($n)"
ret=0
nextpart ns7/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.$n.f7 || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 >dig.out.$n.f7 || ret=1
received_pattern="received packet from 10\.53\.0\.1"
start_pattern="sending packet to 10\.53\.0\.1"
retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1
@ -216,35 +216,35 @@ sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run)
sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run)
[ "$sent" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking recovery from forwarding to a non-recursive server ($n)"
ret=0
dig_with_opts xxx.sld.tld txt @10.53.0.8 > dig.out.$n.f8 || ret=1
grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
dig_with_opts xxx.sld.tld txt @10.53.0.8 >dig.out.$n.f8 || ret=1
grep "status: NOERROR" dig.out.$n.f8 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking that rebinding protection works in forward only mode ($n)"
ret=0
# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
# which in turn will return a CNAME for subdomain.rebind.
# to honor the option deny-answer-aliases { "rebind"; };
# ns5 should return a SERVFAIL to avoid potential rebinding attacks
dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. >dig.out.$n || ret=1
grep "status: SERVFAIL" dig.out.$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)"
ret=0
copy_setports ns3/named2.conf.in ns3/named.conf
rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
sendcmd << EOF
sendcmd <<EOF
/ns1.sld.tld/A/
300 A 10.53.0.2
/sld.tld/NS/
@ -252,61 +252,61 @@ sendcmd << EOF
/sld.tld/
EOF
nextpart ns3/named.run >/dev/null
dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
#
# Check various spoofed response scenarios. The same tests will be
# run twice, with "forward first" and "forward only" configurations.
#
run_spooftests () {
n=$((n+1))
echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
# check 'net' is not poisoned.
dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
# check 'sub.local.net' is not poisoned.
dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
run_spooftests() {
n=$((n + 1))
echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1
# check 'net' is not poisoned.
dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1
grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net >/dev/null || ret=1
# check 'sub.local.net' is not poisoned.
dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n+1))
echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
# check that net2/DNAME is not cached
dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1
# check that net2/DNAME is not cached
dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1
grep "ANSWER: 0," dig.out.$n.net2 >/dev/null || ret=1
grep "status: NXDOMAIN" dig.out.$n.net2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n+1))
echo_i "checking spoofed response scenario 3 - extra answer ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
# check extra net3 records are not cached
rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
for try in 1 2 3 4 5; do
lines=$(grep "net3" ns9/named_dump.db | wc -l)
if [ ${lines} -eq 0 ]; then
sleep 1
continue
fi
[ ${lines} -eq 1 ] || ret=1
grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
grep -q '^local.net3' ns9/named_dump.db && ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n + 1))
echo_i "checking spoofed response scenario 3 - extra answer ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net3 >dig.out.$n.prime || ret=1
# check extra net3 records are not cached
rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
for try in 1 2 3 4 5; do
lines=$(grep "net3" ns9/named_dump.db | wc -l)
if [ ${lines} -eq 0 ]; then
sleep 1
continue
fi
[ ${lines} -eq 1 ] || ret=1
grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
grep -q '^local.net3' ns9/named_dump.db && ret=1
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
}
echo_i "checking spoofed response scenarios with forward first zones"
@ -330,31 +330,31 @@ rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
n=$((n+1))
n=$((n + 1))
echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1
# check 'net' is poisoned.
dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1
grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net >/dev/null || ret=1
# check 'sub.local.net' is poisoned.
dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1
grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
n=$((n+1))
n=$((n + 1))
echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1
# check that net2/DNAME is cached
dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1
grep "ANSWER: 1," dig.out.$n.net2 >/dev/null || ret=1
grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
#
# This test doesn't use any forwarder clauses but is here because it
@ -367,17 +367,17 @@ rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
n=$((n+1))
n=$((n + 1))
echo_i "checking sibling glue below zone ($n)"
ret=0
# prime
dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
dig_with_opts @10.53.0.9 sibling.tld >dig.out.$n.prime || ret=1
# check for glue A record for sub.local.tld is not used
dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
dig_with_opts @10.53.0.9 sub.local.tld TXT >dig.out.$n.sub || ret=1
grep "ANSWER: 1," dig.out.$n.sub >/dev/null || ret=1
grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

5
bin/tests/system/genzone.sh
View file

@ -33,9 +33,8 @@ cat <<EOF
3600 )
EOF
for n
do
cat <<EOF
for n; do
cat <<EOF
@ NS ns${n}
ns${n} A 10.53.0.${n}
EOF

4
bin/tests/system/geoip2/prereq.sh
View file

@ -15,7 +15,7 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$FEATURETEST --have-geoip2 || {
echo_i "This test requires GeoIP support." >&2
exit 255
echo_i "This test requires GeoIP support." >&2
exit 255
}
exit 0

4
bin/tests/system/geoip2/setup.sh
View file

@ -19,6 +19,6 @@ $SHELL clean.sh
copy_setports ns2/named1.conf.in ns2/named.conf
for i in 1 2 3 4 5 6 7 other bogus; do
cp ns2/example.db.in ns2/example${i}.db
echo "@ IN TXT \"$i\"" >> ns2/example$i.db
cp ns2/example.db.in ns2/example${i}.db
echo "@ IN TXT \"$i\"" >>ns2/example$i.db
done

319
bin/tests/system/geoip2/tests.sh
View file

@ -23,55 +23,52 @@ DIGOPTS="+tcp +short -p ${PORT} @10.53.0.2"
DIGOPTS6="+tcp +short -p ${PORT} @fd92:7065:b8e:ffff::2 -6"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
for conf in conf/good*.conf
do
n=`expr $n + 1`
echo_i "checking that $conf is accepted ($n)"
ret=0
$CHECKCONF "$conf" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
for conf in conf/good*.conf; do
n=$(expr $n + 1)
echo_i "checking that $conf is accepted ($n)"
ret=0
$CHECKCONF "$conf" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$(expr $status + $ret)
done
for conf in conf/bad*.conf
do
n=`expr $n + 1`
echo_i "checking that $conf is rejected ($n)"
ret=0
$CHECKCONF "$conf" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
for conf in conf/bad*.conf; do
n=$(expr $n + 1)
echo_i "checking that $conf is rejected ($n)"
ret=0
$CHECKCONF "$conf" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$(expr $status + $ret)
done
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking Country database by code using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking Country database by code using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 country code test"
fi
@ -82,35 +79,34 @@ $CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking Country database with nested ACLs using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking Country database with nested ACLs using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 country nested ACL test"
fi
@ -121,35 +117,34 @@ $CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking Country database by name using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking Country database by name using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 country name test"
fi
@ -160,37 +155,36 @@ $CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking Country database by continent code using IPv4 ($n)"
ret=0
lret=0
# deliberately skipping 4 and 6 as they have duplicate continents
for i in 1 2 3 5 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking Country database by continent code using IPv6 ($n)"
ret=0
lret=0
# deliberately skipping 4 and 6 as they have duplicate continents
for i in 1 2 3 5 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 continent code test"
fi
@ -201,77 +195,75 @@ $CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking City database by region code using IPv4 ($n)"
ret=0
lret=0
# skipping 2 on purpose here; it has the same region code as 1
for i in 1 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking City database by region code using IPv6 ($n)"
ret=0
lret=0
# skipping 2 on purpose here; it has the same region code as 1
# skipping 2 on purpose here; it has the same region code as 1
for i in 1 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 region code test"
fi
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "reloading server"
copy_setports ns2/named6.conf.in ns2/named.conf
$CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking City database by city name using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking City database by city name using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 city test"
fi
@ -282,35 +274,34 @@ $CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking ISP database using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking ISP database using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 ISP test"
fi
@ -321,35 +312,34 @@ $CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking ASN database by org name using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking ASN database by org name using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 ASN test"
fi
@ -360,35 +350,34 @@ $CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking GeoIP6 ASN database, ASNNNN only, using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking ASN database, ASNNNN only, using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 ASN test"
fi
@ -399,35 +388,34 @@ $CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking GeoIP6 ASN database, NNNN only, using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking ASN database, NNNN only, using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 ASN test"
fi
@ -438,35 +426,34 @@ $CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking Domain database using IPv4 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
if testsock6 fd92:7065:b8e:ffff::3
then
n=`expr $n + 1`
if testsock6 fd92:7065:b8e:ffff::3; then
n=$(expr $n + 1)
echo_i "checking Domain database using IPv6 ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1
j=$(cat dig.out.ns2.test$n.$i | tr -d '"')
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
else
echo_i "IPv6 unavailable; skipping IPv6 Domain test"
fi
@ -477,13 +464,13 @@ $CHECKCONF ns2/named.conf | cat_i
rndc_reload ns2 10.53.0.2
sleep 3
n=`expr $n + 1`
n=$(expr $n + 1)
echo_i "checking geoip blackhole ACL ($n)"
ret=0
$DIG $DIGOPTS txt example -b 10.53.0.7 > dig.out.ns2.test$n || ret=1
$RNDCCMD 10.53.0.2 status 2>&1 > rndc.out.ns2.test$n || ret=1
$DIG $DIGOPTS txt example -b 10.53.0.7 >dig.out.ns2.test$n || ret=1
$RNDCCMD 10.53.0.2 status 2>&1 >rndc.out.ns2.test$n || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
status=$(expr $status + $ret)
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

2
bin/tests/system/glue/tests.sh
View file

@ -27,7 +27,7 @@ $DIG $DIGOPTS @10.53.0.1 foo.bar.fi. A >dig.out || status=1
digcomp --lc fi.good dig.out || status=1
echo_i "testing that we don't find out-of-zone glue"
$DIG $DIGOPTS @10.53.0.1 example.net. a > dig.out || status=1
$DIG $DIGOPTS @10.53.0.1 example.net. a >dig.out || status=1
digcomp noglue.good dig.out || status=1
echo_i "exit status: $status"

414
bin/tests/system/idna/tests.sh
View file

@ -17,9 +17,9 @@ SYSTEMTESTTOP=..
# Set known locale for the tests
if locale -a | grep -qE "^C\\.(UTF-8|utf8)"; then
LC_ALL="C.UTF-8"
LC_ALL="C.UTF-8"
elif locale -a | grep -qE "^en_US\\.(UTF-8|utf8)"; then
LC_ALL="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
fi
export LC_ALL
@ -70,7 +70,6 @@ DIGCMD="$DIG -i -p ${PORT} @10.53.0.1"
n=0
status=0
# Function for extracting the qname from the response
#
# This is the first field in the line after the line starting
@ -79,10 +78,10 @@ status=0
# The string returned includes the trailing period.
qname() {
awk 'BEGIN { qs = 0; } \
awk 'BEGIN { qs = 0; } \
/;; QUESTION SECTION:/ { qs = 1; next; } \
qs == 1 {sub(";", "", $1) ; print $1; exit 0; }' \
$1
$1
}
# Function for performing a test where "dig" is expected to succeed.
@ -95,26 +94,26 @@ qname() {
# parameter should have that period as well.
idna_test() {
n=`expr $n + 1`
description=$1
if [ "$2" != "" ]; then
description="${description}: $2"
fi
echo_i "$description ($n)"
n=$(expr $n + 1)
description=$1
if [ "$2" != "" ]; then
description="${description}: $2"
fi
echo_i "$description ($n)"
ret=0
$DIGCMD $2 $3 > dig.out.$n 2>&1
if [ $? -ne 0 ]; then
echo_i "failed: dig command returned non-zero status"
ret=1
else
actual=`qname dig.out.$n`
if [ "$4" != "$actual" ]; then
echo_i "failed: expected answer $4, actual result $actual"
ret=1
fi
ret=0
$DIGCMD $2 $3 >dig.out.$n 2>&1
if [ $? -ne 0 ]; then
echo_i "failed: dig command returned non-zero status"
ret=1
else
actual=$(qname dig.out.$n)
if [ "$4" != "$actual" ]; then
echo_i "failed: expected answer $4, actual result $actual"
ret=1
fi
status=`expr $status + $ret`
fi
status=$(expr $status + $ret)
}
# Function for performing a test where "dig" is expected to fail
@ -124,20 +123,20 @@ idna_test() {
# $3 - Name being queried
idna_fail() {
n=`expr $n + 1`
description=$1
if [ "$2" != "" ]; then
description="${description}: $2"
fi
echo_i "$description ($n)"
n=$(expr $n + 1)
description=$1
if [ "$2" != "" ]; then
description="${description}: $2"
fi
echo_i "$description ($n)"
ret=0
$DIGCMD $2 $3 > dig.out.$n 2>&1
if [ $? -eq 0 ]; then
echo_i "failed: dig command unexpectedly succeeded"
ret=1
fi
status=`expr $status + $ret`
ret=0
$DIGCMD $2 $3 >dig.out.$n 2>&1
if [ $? -eq 0 ]; then
echo_i "failed: dig command unexpectedly succeeded"
ret=1
fi
status=$(expr $status + $ret)
}
# Function to check that case is preserved for an all-ASCII label.
@ -158,221 +157,210 @@ idna_fail() {
# as the qname.
ascii_case_preservation_test() {
text="Checking valid ASCII label"
idna_test "$text" "" LocalhosT LocalhosT.
idna_test "$text" "+noidnin +noidnout" LocalhosT LocalhosT.
idna_test "$text" "+noidnin +idnout" LocalhosT LocalhosT.
idna_test "$text" "+idnin +noidnout" LocalhosT LocalhosT.
idna_test "$text" "+idnin +idnout" LocalhosT LocalhosT.
text="Checking valid ASCII label"
idna_test "$text" "" LocalhosT LocalhosT.
idna_test "$text" "+noidnin +noidnout" LocalhosT LocalhosT.
idna_test "$text" "+noidnin +idnout" LocalhosT LocalhosT.
idna_test "$text" "+idnin +noidnout" LocalhosT LocalhosT.
idna_test "$text" "+idnin +idnout" LocalhosT LocalhosT.
}
# Function to perform the tests if IDNA is enabled.
idna_enabled_test() {
echo_i "IDNA is enabled, all IDNA tests will be performed"
# Check that case is preserved on an ASCII label.
echo_i "IDNA is enabled, all IDNA tests will be performed"
# Check that case is preserved on an ASCII label.
ascii_case_preservation_test
ascii_case_preservation_test
# Test of a valid U-label
#
# +noidnin +noidnout: The label is sent as a unicode octet stream and dig
# will display the string in the \nnn format.
# +noidnin +idnout: As for the previous case.
# +idnin +noidnout: The label is converted to the xn-- format. "dig"
# displays the returned xn-- text.
# +idnin +idnout: The label is converted to the xn-- format. "dig"
# converts the returned xn-- string back to the original
# unicode text.
#
# Note that ASCII characters are converted to lower-case.
# Test of a valid U-label
#
# +noidnin +noidnout: The label is sent as a unicode octet stream and dig
# will display the string in the \nnn format.
# +noidnin +idnout: As for the previous case.
# +idnin +noidnout: The label is converted to the xn-- format. "dig"
# displays the returned xn-- text.
# +idnin +idnout: The label is converted to the xn-- format. "dig"
# converts the returned xn-- string back to the original
# unicode text.
#
# Note that ASCII characters are converted to lower-case.
text="Checking valid non-ASCII label"
idna_test "$text" "" "München" "M\195\188nchen."
idna_test "$text" "+noidnin +noidnout" "München" "M\195\188nchen."
idna_test "$text" "+noidnin +idnout" "München" "M\195\188nchen."
idna_test "$text" "+idnin +noidnout" "München" "xn--mnchen-3ya."
idna_test "$text" "+idnin +idnout" "München" "münchen."
text="Checking valid non-ASCII label"
idna_test "$text" "" "München" "M\195\188nchen."
idna_test "$text" "+noidnin +noidnout" "München" "M\195\188nchen."
idna_test "$text" "+noidnin +idnout" "München" "M\195\188nchen."
idna_test "$text" "+idnin +noidnout" "München" "xn--mnchen-3ya."
idna_test "$text" "+idnin +idnout" "München" "münchen."
# Tests of transitional processing of a valid U-label
#
# IDNA2003 introduced national character sets but, unfortunately, didn't
# support several characters properly. One of those was the German
# character "ß" (the "Eszett" or "sharp s"), which was interpreted as "ss".
# So the domain “faß.de” domain (for example) was processed as “fass.de”.
#
# This was corrected in IDNA2008, although some vendors that adopted this
# standard chose to keep the existing IDNA2003 translation for this
# character to prevent problems (e.g. people visiting www.faß.example would,
# under IDNA2003, go to www.fass.example but under IDNA2008 would end up at
# www.fa\195\159.example - a different web site).
#
# BIND has adopted a hard transition, so this test checks that these
# transitional mapping is not used. The tests are essentially the same as
# for the valid U-label.
text="Checking that non-transitional IDNA processing is used"
idna_test "$text" "" "faß.de" "fa\195\159.de."
idna_test "$text" "+noidnin +noidnout" "faß.de" "fa\195\159.de."
idna_test "$text" "+noidnin +idnout" "faß.de" "fa\195\159.de."
idna_test "$text" "+idnin +noidnout" "faß.de" "xn--fa-hia.de."
idna_test "$text" "+idnin +idnout" "faß.de" "faß.de."
# Tests of transitional processing of a valid U-label
#
# IDNA2003 introduced national character sets but, unfortunately, didn't
# support several characters properly. One of those was the German
# character "ß" (the "Eszett" or "sharp s"), which was interpreted as "ss".
# So the domain “faß.de” domain (for example) was processed as “fass.de”.
#
# This was corrected in IDNA2008, although some vendors that adopted this
# standard chose to keep the existing IDNA2003 translation for this
# character to prevent problems (e.g. people visiting www.faß.example would,
# under IDNA2003, go to www.fass.example but under IDNA2008 would end up at
# www.fa\195\159.example - a different web site).
#
# BIND has adopted a hard transition, so this test checks that these
# transitional mapping is not used. The tests are essentially the same as
# for the valid U-label.
# Another problem character. The final character in the first label mapped
# onto the Greek sigma character ("σ") in IDNA2003.
text="Checking that non-transitional IDNA processing is used"
idna_test "$text" "" "faß.de" "fa\195\159.de."
idna_test "$text" "+noidnin +noidnout" "faß.de" "fa\195\159.de."
idna_test "$text" "+noidnin +idnout" "faß.de" "fa\195\159.de."
idna_test "$text" "+idnin +noidnout" "faß.de" "xn--fa-hia.de."
idna_test "$text" "+idnin +idnout" "faß.de" "faß.de."
text="Second check that non-transitional IDNA processing is used"
idna_test "$text" "" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com."
idna_test "$text" "+noidnin +noidnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com."
idna_test "$text" "+noidnin +idnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com."
idna_test "$text" "+idnin +noidnout" "βόλος.com" "xn--nxasmm1c.com."
idna_test "$text" "+idnin +idnout" "βόλος.com" "βόλος.com."
# Another problem character. The final character in the first label mapped
# onto the Greek sigma character ("σ") in IDNA2003.
# Tests of a valid A-label (i.e. starting xn--)
#
# +noidnout: The string is sent as-is to the server and the returned qname
# is displayed in the same form.
# +idnout: The string is sent as-is to the server and the returned qname
# is displayed as the corresponding U-label.
#
# The "+[no]idnin" flag has no effect in these cases.
text="Second check that non-transitional IDNA processing is used"
idna_test "$text" "" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com."
idna_test "$text" "+noidnin +noidnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com."
idna_test "$text" "+noidnin +idnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com."
idna_test "$text" "+idnin +noidnout" "βόλος.com" "xn--nxasmm1c.com."
idna_test "$text" "+idnin +idnout" "βόλος.com" "βόλος.com."
text="Checking valid A-label"
idna_test "$text" "" "xn--nxasmq6b.com" "xn--nxasmq6b.com."
idna_test "$text" "+noidnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com."
idna_test "$text" "+noidnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com."
idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com."
idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com."
# Test of valid A-label in locale that cannot display it
#
# +noidnout: The string is sent as-is to the server and the returned qname
# is displayed in the same form.
# +idnout: The string is sent as-is to the server and the returned qname
# is displayed as the corresponding A-label.
#
# The "+[no]idnout" flag has no effect in these cases.
saved_LC_ALL="${LC_ALL}"
LC_ALL="C"
text="Checking valid A-label in C locale"
label="xn--nxasmq6b.com"
if command -v idn2 >/dev/null && ! idn2 -d "$label" >/dev/null 2>/dev/null; then
idna_test "$text" "" "$label" "$label."
idna_test "$text" "+noidnin +noidnout" "$label" "$label."
idna_test "$text" "+noidnin +idnout" "$label" "$label."
idna_test "$text" "+idnin +noidnout" "$label" "$label."
idna_test "$text" "+idnin +idnout" "$label" "$label."
idna_test "$text" "+noidnin +idnout" "$label" "$label."
fi
LC_ALL="${saved_LC_ALL}"
# Tests of invalid A-labels
#
# +noidnin: The label is sent as-is to the server and dig will display the
# returned fake A-label in the same form.
# +idnin: "dig" should report that the label is not correct.
#
# +[no]idnout: If the label makes it to the server (via +noidnin), "dig"
# should report an error if +idnout is specified.
# Tests of a valid A-label (i.e. starting xn--)
#
# +noidnout: The string is sent as-is to the server and the returned qname
# is displayed in the same form.
# +idnout: The string is sent as-is to the server and the returned qname
# is displayed as the corresponding U-label.
#
# The "+[no]idnin" flag has no effect in these cases.
# The minimum length of a punycode A-label is 7 characters. Check that
# a shorter label is detected and rejected.
text="Checking valid A-label"
idna_test "$text" "" "xn--nxasmq6b.com" "xn--nxasmq6b.com."
idna_test "$text" "+noidnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com."
idna_test "$text" "+noidnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com."
idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com."
idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com."
text="Checking punycode label shorter than minimum valid length"
idna_test "$text" "" "xn--xx" "xn--xx."
idna_test "$text" "+noidnin +noidnout" "xn--xx" "xn--xx."
idna_fail "$text" "+noidnin +idnout" "xn--xx"
idna_fail "$text" "+idnin +noidnout" "xn--xx"
idna_fail "$text" "+idnin +idnout" "xn--xx"
# Test of valid A-label in locale that cannot display it
#
# +noidnout: The string is sent as-is to the server and the returned qname
# is displayed in the same form.
# +idnout: The string is sent as-is to the server and the returned qname
# is displayed as the corresponding A-label.
#
# The "+[no]idnout" flag has no effect in these cases.
saved_LC_ALL="${LC_ALL}"
LC_ALL="C"
text="Checking valid A-label in C locale"
label="xn--nxasmq6b.com"
if command -v idn2 >/dev/null && ! idn2 -d "$label" >/dev/null 2>/dev/null; then
idna_test "$text" "" "$label" "$label."
idna_test "$text" "+noidnin +noidnout" "$label" "$label."
idna_test "$text" "+noidnin +idnout" "$label" "$label."
idna_test "$text" "+idnin +noidnout" "$label" "$label."
idna_test "$text" "+idnin +idnout" "$label" "$label."
idna_test "$text" "+noidnin +idnout" "$label" "$label."
fi
LC_ALL="${saved_LC_ALL}"
# Fake A-label - the string does not translate to anything.
text="Checking fake A-label"
idna_test "$text" "" "xn--ahahah" "xn--ahahah."
idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah."
idna_fail "$text" "+noidnin +idnout" "xn--ahahah"
idna_fail "$text" "+idnin +noidnout" "xn--ahahah"
idna_fail "$text" "+idnin +idnout" "xn--ahahah"
# Too long a label. The punycode string is too long (at 64 characters).
# BIND rejects such labels: with +idnin
# Tests of invalid A-labels
#
# +noidnin: The label is sent as-is to the server and dig will display the
# returned fake A-label in the same form.
# +idnin: "dig" should report that the label is not correct.
#
# +[no]idnout: If the label makes it to the server (via +noidnin), "dig"
# should report an error if +idnout is specified.
label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj"
text="Checking punycode label longer than maximum valid length"
idna_fail "$text" "" "$label"
idna_fail "$text" "+noidnin +noidnout" "$label"
idna_fail "$text" "+noidnin +idnout" "$label"
idna_fail "$text" "+idnin +noidnout" "$label"
idna_fail "$text" "+idnin +idnout" "$label"
# The minimum length of a punycode A-label is 7 characters. Check that
# a shorter label is detected and rejected.
# Tests of a valid unicode string but an invalid U-label (input)
#
# Symbols are not valid IDNA2008 names. Check whether dig rejects them
# when they are supplied on the command line to ensure no IDNA2003
# fallbacks are in place.
#
# +noidnin: "dig" should send unicode octets to the server and display the
# returned qname in the same form.
# +idnin: "dig" should generate an error.
#
# The +[no]idnout options should not have any effect on the test.
text="Checking punycode label shorter than minimum valid length"
idna_test "$text" "" "xn--xx" "xn--xx."
idna_test "$text" "+noidnin +noidnout" "xn--xx" "xn--xx."
idna_fail "$text" "+noidnin +idnout" "xn--xx"
idna_fail "$text" "+idnin +noidnout" "xn--xx"
idna_fail "$text" "+idnin +idnout" "xn--xx"
text="Checking invalid input U-label"
idna_test "$text" "" "√.com" "\226\136\154.com."
idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com."
idna_test "$text" "+noidnin +idnout" "√.com" "\226\136\154.com."
idna_test "$text" "+idnin +noidnout" "√.com" "xn--19g.com."
idna_test "$text" "+idnin +idnout" "√.com" "√.com."
# Fake A-label - the string does not translate to anything.
# Tests of a valid unicode string but an invalid U-label (output)
#
# Symbols are not valid IDNA2008 names. Check whether dig rejects them
# when they are received in DNS responses to ensure no IDNA2003 fallbacks
# are in place.
#
# Note that "+idnin +noidnout" is not tested because libidn2 2.2.0+ parses
# Punycode more strictly than older versions and thus dig fails with that
# combination of options with libidn2 2.2.0+ but succeeds with older
# versions.
#
# +noidnout: "dig" should send the ACE string to the server and display the
# returned qname.
# +idnout: "dig" should generate an error.
#
# The +[no]idnin options should not have any effect on the test.
text="Checking fake A-label"
idna_test "$text" "" "xn--ahahah" "xn--ahahah."
idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah."
idna_fail "$text" "+noidnin +idnout" "xn--ahahah"
idna_fail "$text" "+idnin +noidnout" "xn--ahahah"
idna_fail "$text" "+idnin +idnout" "xn--ahahah"
# Too long a label. The punycode string is too long (at 64 characters).
# BIND rejects such labels: with +idnin
label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj"
text="Checking punycode label longer than maximum valid length"
idna_fail "$text" "" "$label"
idna_fail "$text" "+noidnin +noidnout" "$label"
idna_fail "$text" "+noidnin +idnout" "$label"
idna_fail "$text" "+idnin +noidnout" "$label"
idna_fail "$text" "+idnin +idnout" "$label"
# Tests of a valid unicode string but an invalid U-label (input)
#
# Symbols are not valid IDNA2008 names. Check whether dig rejects them
# when they are supplied on the command line to ensure no IDNA2003
# fallbacks are in place.
#
# +noidnin: "dig" should send unicode octets to the server and display the
# returned qname in the same form.
# +idnin: "dig" should generate an error.
#
# The +[no]idnout options should not have any effect on the test.
text="Checking invalid input U-label"
idna_test "$text" "" "√.com" "\226\136\154.com."
idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com."
idna_test "$text" "+noidnin +idnout" "√.com" "\226\136\154.com."
idna_test "$text" "+idnin +noidnout" "√.com" "xn--19g.com."
idna_test "$text" "+idnin +idnout" "√.com" "√.com."
# Tests of a valid unicode string but an invalid U-label (output)
#
# Symbols are not valid IDNA2008 names. Check whether dig rejects them
# when they are received in DNS responses to ensure no IDNA2003 fallbacks
# are in place.
#
# Note that "+idnin +noidnout" is not tested because libidn2 2.2.0+ parses
# Punycode more strictly than older versions and thus dig fails with that
# combination of options with libidn2 2.2.0+ but succeeds with older
# versions.
#
# +noidnout: "dig" should send the ACE string to the server and display the
# returned qname.
# +idnout: "dig" should generate an error.
#
# The +[no]idnin options should not have any effect on the test.
text="Checking invalid output U-label"
idna_test "$text" "" "xn--19g" "xn--19g."
idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g."
idna_test "$text" "+noidnin +idnout" "xn--19g" "√."
idna_test "$text" "+idnin +idnout" "xn--19g" "√."
text="Checking invalid output U-label"
idna_test "$text" "" "xn--19g" "xn--19g."
idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g."
idna_test "$text" "+noidnin +idnout" "xn--19g" "√."
idna_test "$text" "+idnin +idnout" "xn--19g" "√."
}
# Function to perform tests if IDNA is not enabled.
idna_disabled_test() {
echo_i "IDNA is disabled, only case mapping tests will be performed"
ascii_case_preservation_test
echo_i "IDNA is disabled, only case mapping tests will be performed"
ascii_case_preservation_test
}
# Main test begins here
$FEATURETEST --with-idn
if [ $? -eq 0 ]; then
idna_enabled_test
idna_enabled_test
else
idna_disabled_test
idna_disabled_test
fi
exit $status

408
bin/tests/system/ifconfig.sh
View file

@ -34,195 +34,195 @@ sys=$($SHELL "$TOP/config.guess")
use_ip=
case "$sys" in
*-*-linux*)
if type ip > /dev/null; then
use_ip=yes
elif type ifconfig > /dev/null; then
:
else
echo "$0: can't find ip or ifconfig" >&2
exit 1
fi
;;
*-*-linux*)
if type ip >/dev/null; then
use_ip=yes
elif type ifconfig >/dev/null; then
:
else
echo "$0: can't find ip or ifconfig" >&2
exit 1
fi
;;
esac
up() {
case "$sys" in
*-pc-solaris2.5.1)
[ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up
;;
*-sun-solaris2.[6-7])
[ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up
;;
*-*-solaris2.[8-9]|*-*-solaris2.10)
[ "$a" ] && {
/sbin/ifconfig lo0:$int plumb
/sbin/ifconfig lo0:$int $a up
/sbin/ifconfig lo0:$int mtu 1500
}
[ "$aaaa" ] && {
/sbin/ifconfig lo0:$int inet6 plumb
/sbin/ifconfig lo0:$int inet6 $aaaa up
}
;;
*-*-solaris2.1[1-9])
[ "$a" ] && {
/sbin/ipadm create-addr -t -T static \
-a $a lo0/bind9v4$int ||
echo failed lo0/bind9v4$int
}
[ "$aaaa" ] && {
/sbin/ipadm create-addr -t -T static \
-a $aaaa lo0/bind9v6$int ||
echo failed lo0/bind9v6$int
}
;;
*-*-linux*)
if [ "$use_ip" ]; then
ip address add $a/24 dev lo:$int
ip link set dev lo:$int mtu 1500
[ "$aaaa" ] && ip address add $aaaa/64 dev lo
else
ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500
[ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64
fi
;;
*-unknown-freebsd*)
[ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias
;;
*-unknown-dragonfly*|*-unknown-netbsd*|*-unknown-openbsd*)
[ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias
;;
*-*-bsdi[3-5].*)
[ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0
;;
*-dec-osf[4-5].*)
[ "$a" ] && ifconfig lo0 alias $a
;;
*-sgi-irix6.*)
[ "$a" ] && ifconfig lo0 alias $a
;;
*-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
[ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff
;;
*-ibm-aix4.*|*-ibm-aix5.*)
[ "$a" ] && ifconfig lo0 alias $a
[ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64
;;
hpux)
[ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up
[ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up
;;
*-sco3.2v*)
[ "$a" ] && ifconfig lo0 alias $a
;;
*-darwin*)
[ "$a" ] && ifconfig lo0 alias $a
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias
;;
*-cygwin*)
echo "Please run ifconfig.bat as Administrator."
exit 1
;;
*)
echo "Don't know how to set up interface. Giving up."
exit 1
;;
esac
case "$sys" in
*-pc-solaris2.5.1)
[ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up
;;
*-sun-solaris2.[6-7])
[ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up
;;
*-*-solaris2.[8-9] | *-*-solaris2.10)
[ "$a" ] && {
/sbin/ifconfig lo0:$int plumb
/sbin/ifconfig lo0:$int $a up
/sbin/ifconfig lo0:$int mtu 1500
}
[ "$aaaa" ] && {
/sbin/ifconfig lo0:$int inet6 plumb
/sbin/ifconfig lo0:$int inet6 $aaaa up
}
;;
*-*-solaris2.1[1-9])
[ "$a" ] && {
/sbin/ipadm create-addr -t -T static \
-a $a lo0/bind9v4$int \
|| echo failed lo0/bind9v4$int
}
[ "$aaaa" ] && {
/sbin/ipadm create-addr -t -T static \
-a $aaaa lo0/bind9v6$int \
|| echo failed lo0/bind9v6$int
}
;;
*-*-linux*)
if [ "$use_ip" ]; then
ip address add $a/24 dev lo:$int
ip link set dev lo:$int mtu 1500
[ "$aaaa" ] && ip address add $aaaa/64 dev lo
else
ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500
[ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64
fi
;;
*-unknown-freebsd*)
[ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias
;;
*-unknown-dragonfly* | *-unknown-netbsd* | *-unknown-openbsd*)
[ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias
;;
*-*-bsdi[3-5].*)
[ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0
;;
*-dec-osf[4-5].*)
[ "$a" ] && ifconfig lo0 alias $a
;;
*-sgi-irix6.*)
[ "$a" ] && ifconfig lo0 alias $a
;;
*-*-sysv5uw7* | *-*-sysv*UnixWare* | *-*-sysv*OpenUNIX*)
[ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff
;;
*-ibm-aix4.* | *-ibm-aix5.*)
[ "$a" ] && ifconfig lo0 alias $a
[ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64
;;
hpux)
[ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up
[ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up
;;
*-sco3.2v*)
[ "$a" ] && ifconfig lo0 alias $a
;;
*-darwin*)
[ "$a" ] && ifconfig lo0 alias $a
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias
;;
*-cygwin*)
echo "Please run ifconfig.bat as Administrator."
exit 1
;;
*)
echo "Don't know how to set up interface. Giving up."
exit 1
;;
esac
}
down() {
case "$sys" in
*-pc-solaris2.5.1)
[ "$a" ] && ifconfig lo0:$int 0.0.0.0 down
;;
*-sun-solaris2.[6-7])
[ "$a" ] && ifconfig lo0:$int $a down
;;
*-*-solaris2.[8-9]|*-*-solaris2.10)
[ "$a" ] && {
ifconfig lo0:$int $a down
ifconfig lo0:$int $a unplumb
}
[ "$aaaa" ] && {
ifconfig lo0:$int inet6 down
ifconfig lo0:$int inet6 unplumb
}
;;
*-*-solaris2.1[1-9])
[ "$a" ] && {
ipadm delete-addr lo0/bind9v4$int ||
echo failed lo0/bind9v4$int
}
[ "$aaaa" ] && {
ipadm delete-addr lo0/bind9v6$int ||
echo failed lo0/bind9v6$int
}
;;
case "$sys" in
*-pc-solaris2.5.1)
[ "$a" ] && ifconfig lo0:$int 0.0.0.0 down
;;
*-sun-solaris2.[6-7])
[ "$a" ] && ifconfig lo0:$int $a down
;;
*-*-solaris2.[8-9] | *-*-solaris2.10)
[ "$a" ] && {
ifconfig lo0:$int $a down
ifconfig lo0:$int $a unplumb
}
[ "$aaaa" ] && {
ifconfig lo0:$int inet6 down
ifconfig lo0:$int inet6 unplumb
}
;;
*-*-solaris2.1[1-9])
[ "$a" ] && {
ipadm delete-addr lo0/bind9v4$int \
|| echo failed lo0/bind9v4$int
}
[ "$aaaa" ] && {
ipadm delete-addr lo0/bind9v6$int \
|| echo failed lo0/bind9v6$int
}
;;
*-*-linux*)
if [ "$use_ip" ]; then
[ "$a" ] && ip address del $a/24 dev lo:$int
[ "$aaaa" ] && ip address del $aaaa/64 dev lo
else
[ "$a" ] && ifconfig lo:$int $a down
[ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64
fi
;;
*-unknown-freebsd*)
[ "$a" ] && ifconfig lo0 $a delete
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
;;
*-unknown-netbsd*)
[ "$a" ] && ifconfig lo0 $a delete
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
;;
*-unknown-openbsd*)
[ "$a" ] && ifconfig lo0 $a delete
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
;;
*-*-bsdi[3-5].*)
[ "$a" ] && ifconfig lo0 remove $a
;;
*-dec-osf[4-5].*)
[ "$a" ] && ifconfig lo0 -alias $a
;;
*-sgi-irix6.*)
[ "$a" ] && ifconfig lo0 -alias $a
;;
*-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
[ "$a" ] && ifconfig lo0 -alias $a
;;
*-ibm-aix4.*|*-ibm-aix5.*)
[ "$a" ] && ifconfig lo0 delete $a
[ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64
;;
hpux)
[ "$a" ] && ifconfig lo0:$int 0.0.0.0
[ "$aaaa" ] && ifconfig lo0:$int inet6 ::
;;
*-sco3.2v*)
[ "$a" ] && ifconfig lo0 -alias $a
;;
*darwin*)
[ "$a" ] && ifconfig lo0 -alias $a
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
;;
*-cygwin*)
echo "Please run ifconfig.bat as Administrator."
exit 1
;;
*)
echo "Don't know how to destroy interface. Giving up."
exit 1
;;
esac
*-*-linux*)
if [ "$use_ip" ]; then
[ "$a" ] && ip address del $a/24 dev lo:$int
[ "$aaaa" ] && ip address del $aaaa/64 dev lo
else
[ "$a" ] && ifconfig lo:$int $a down
[ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64
fi
;;
*-unknown-freebsd*)
[ "$a" ] && ifconfig lo0 $a delete
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
;;
*-unknown-netbsd*)
[ "$a" ] && ifconfig lo0 $a delete
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
;;
*-unknown-openbsd*)
[ "$a" ] && ifconfig lo0 $a delete
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
;;
*-*-bsdi[3-5].*)
[ "$a" ] && ifconfig lo0 remove $a
;;
*-dec-osf[4-5].*)
[ "$a" ] && ifconfig lo0 -alias $a
;;
*-sgi-irix6.*)
[ "$a" ] && ifconfig lo0 -alias $a
;;
*-*-sysv5uw7* | *-*-sysv*UnixWare* | *-*-sysv*OpenUNIX*)
[ "$a" ] && ifconfig lo0 -alias $a
;;
*-ibm-aix4.* | *-ibm-aix5.*)
[ "$a" ] && ifconfig lo0 delete $a
[ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64
;;
hpux)
[ "$a" ] && ifconfig lo0:$int 0.0.0.0
[ "$aaaa" ] && ifconfig lo0:$int inet6 ::
;;
*-sco3.2v*)
[ "$a" ] && ifconfig lo0 -alias $a
;;
*darwin*)
[ "$a" ] && ifconfig lo0 -alias $a
[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
;;
*-cygwin*)
echo "Please run ifconfig.bat as Administrator."
exit 1
;;
*)
echo "Don't know how to destroy interface. Giving up."
exit 1
;;
esac
}
sequence() (
awk -v s=$1 -v e=$2 '
awk -v s=$1 -v e=$2 '
BEGIN {
for (i = s ; i <= e; i++) { print i; }
exit;
@ -242,30 +242,28 @@ sequence() (
#
max=11
case $1 in
start|up|stop|down)
for i in $(sequence 0 2)
do
case $i in
0) ipv6="ff" ;;
1) ipv6="99" ;;
2) ipv6="00" ;;
*) ipv6="" ;;
esac
for ns in $(sequence 1 $max)
do
[ $i -gt 0 -a $ns -gt 2 ] && break
int=$((i * max + ns))
a=10.53.$i.$ns
aaaa=fd92:7065:b8e:${ipv6}ff::$ns
case "$1" in
start|up) up;;
stop|down) down;;
esac
done
done
;;
*)
echo "Usage: $0 { up | down }"
exit 1
;;
start | up | stop | down)
for i in $(sequence 0 2); do
case $i in
0) ipv6="ff" ;;
1) ipv6="99" ;;
2) ipv6="00" ;;
*) ipv6="" ;;
esac
for ns in $(sequence 1 $max); do
[ $i -gt 0 -a $ns -gt 2 ] && break
int=$((i * max + ns))
a=10.53.$i.$ns
aaaa=fd92:7065:b8e:${ipv6}ff::$ns
case "$1" in
start | up) up ;;
stop | down) down ;;
esac
done
done
;;
*)
echo "Usage: $0 { up | down }"
exit 1
;;
esac

Some files were not shown because too many files have changed in this diff Show more