upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-24 11:25:08 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/synthfromdnssec/tests.sh
Tom Krizek 01bc805f89
Run system tests with set -e 
Ensure all shell system tests are executed with the errexit option set.
This prevents unchecked return codes from commands in the test from
interfering with the tests, since any failures need to be handled
explicitly.
2023-07-14 15:07:25 +02:00

904 lines
36 KiB
Bash
Raw Blame History

#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# set -e
#
# shellcheck source=conf.sh
. ../conf.sh
RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
set -e
status=0
n=1
synth_default=yes
rm -f dig.out.*
dig_with_opts() {
"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
check_ad_flag() {
if [ ${1} = yes ]
then
grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null || return 1
else
grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null && return 1
fi
return 0
}
check_status() {
grep "status: ${1}," ${2} > /dev/null || return 1
return 0
}
check_synth_soa() (
name=$(echo "$1" | sed 's/\./\\./g')
grep "^${name}.*[0-9]*.IN.SOA" ${2} > /dev/null || return 1
grep "^${name}.*3600.IN.SOA" ${2} > /dev/null && return 1
return 0
)
check_nosynth_soa() (
name=$(echo "$1" | sed 's/\./\\./g')
grep "^${name}.*3600.IN.SOA" ${2} > /dev/null || return 1
return 0
)
check_synth_a() (
name=$(echo "$1" | sed 's/\./\\./g')
grep "^${name}.*[0-9]*.IN.A.[0-2]" ${2} > /dev/null || return 1
grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null && return 1
return 0
)
check_nosynth_a() (
name=$(echo "$1" | sed 's/\./\\./g')
grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null || return 1
return 0
)
check_synth_aaaa() (
name=$(echo "$1" | sed 's/\./\\./g')
grep "^${name}.*[0-9]*.IN.AAAA" ${2} > /dev/null || return 1
grep "^${name}.*3600.IN.A" ${2} > /dev/null && return 1
return 0
)
check_nosynth_aaaa() (
name=$(echo "$1" | sed 's/\./\\./g')
grep "^${name}.*3600.IN.AAAA" ${2} > /dev/null || return 1
return 0
)
check_synth_cname() (
name=$(echo "$1" | sed 's/\./\\./g')
grep "^${name}.*[0-9]*.IN.CNAME" ${2} > /dev/null || return 1
grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null && return 1
return 0
)
check_nosynth_cname() (
name=$(echo "$1" | sed 's/\./\\./g')
grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null || return 1
return 0
)
check_auth_count() {
grep "AUTHORITY: ${1}," ${2} > /dev/null || return 1
return 0
}
for ns in 2 4 5 6
do
case $ns in
2) ad=yes; description="<default>";;
4) ad=yes; description="no";;
5) ad=yes; description="yes";;
6) ad=no; description="yes; dnssec-validation no";;
*) exit 1;;
esac
echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nxdomain.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nodata.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_a a.wild-a.example. dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wild.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_cname a.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildcname.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.wild-1-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
check_auth_count 4 dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata1nsec.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.wild-2-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
check_auth_count 6 dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata2nsec.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1
check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1
check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > wildnodata2nsecafterdata.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.wild-1-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
check_auth_count 4 dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata1nsec.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.wild-2-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
check_auth_count 6 dig.out.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata2nsec.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1
check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1
check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1
[ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > insecure.wildnodata2nsecafterdata.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts nxdomain.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n > /dev/null || ret=1
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts black.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n > /dev/null || ret=1
[ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1
grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
done
echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
ret=0
dig_with_opts +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
check_ad_flag no dig.out.ns3.test$n || ret=1
check_status NOERROR dig.out.ns3.test$n || ret=1
grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
#
# ensure TTL of synthesised answers differs from direct answers.
#
sleep 1
for ns in 2 4 5 6
do
case $ns in
2) ad=yes synth=${synth_default} description="<default>";;
4) ad=yes synth=no description="no";;
5) ad=yes synth=yes description="yes";;
6) ad=no synth=no description="yes; dnssec-validation no";;
*) exit 1;;
esac
echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
if [ ${synth} = yes ]
then
check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.example/A > /dev/null && ret=1
else
check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.example/A > /dev/null || ret=1
fi
digcomp nxdomain.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
if [ ${synth} = yes ]
then
check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null && ret=1
else
check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null || ret=1
fi
digcomp nodata.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
if [ ${synth} = yes ]
then
check_synth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null && ret=1
else
check_nosynth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null || ret=1
fi
digcomp wild.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
if [ ${synth} = yes ]
then
check_synth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null && ret=1
else
check_nosynth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null || ret=1
fi
grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
digcomp wildcname.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check synthesized wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.wild-1-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
if [ ${synth} = yes ]
then
check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null && ret=1
else
check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null || ret=1
fi
digcomp wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check synthesized wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.wild-2-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
if [ ${synth} = yes ]
then
check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null && ret=1
else
check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null || ret=1
fi
digcomp wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
ret=0
# Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record
dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1
check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1
#
nextpart ns1/named.run > /dev/null
dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
if [ ${synth} = yes ]
then
check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null && ret=1
else
check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null || ret=1
fi
digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1
digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1
digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1
digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1
grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.wild-1-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
digcomp insecure.wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.wild-2-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
digcomp insecure.wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1
check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1
#
dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1
check_ad_flag no dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep nxdomaic.minimal/A > /dev/null || ret=1
digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1
digcomp black.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
dig_with_opts soa-without-dnskey. @10.53.0.${ns} A > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1
grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)"
ret=0
${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i
# 2 views, _bind should always be '0 covering nsec returned'
count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l)
test $count = 2 || ret=1
zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l)
if [ ${synth} = yes ]
then
test $zero = 1 || ret=1
else
test $zero = 2 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check 'rndc stats' output for 'cache NSEC auxiliary database nodes' (synth-from-dnssec ${description};) ($n)"
ret=0
# 2 views, _bind should always be '0 cache NSEC auxiliary database nodes'
count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
test $count = 2 || ret=1
zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
if [ ${ad} = yes ]
then
test $zero = 1 || ret=1
else
test $zero = 2 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
for synthesized in NXDOMAIN no-data wildcard
do
case $synthesized in
NXDOMAIN) count=1;;
no-data) count=4;;
wildcard) count=2;;
esac
echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)"
ret=0
if [ ${synth} = yes ]
then
grep "$count synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null || ret=1
else
grep "synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null && ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
done
if ${FEATURETEST} --have-libxml2 && [ -x "${CURL}" ] ; then
echo_i "getting XML statisistcs for (synth-from-dnssec ${description};) ($n)"
ret=0
xml=xml.out$n
${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/xml/v3/server > $xml 2>/dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check XML for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)"
ret=0
counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CoveringNSEC">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml)
count=$(echo "$counter" | grep CoveringNSEC | wc -l)
test $count = 1 || ret=1
zero=$(echo "$counter" | grep ">0<" | wc -l)
if [ ${synth} = yes ]
then
test $zero = 0 || ret=1
else
test $zero = 1 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check XML for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)"
ret=0
counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CacheNSECNodes">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml)
count=$(echo "$counter" | grep CacheNSECNodes | wc -l)
test $count = 1 || ret=1
zero=$(echo "$counter" | grep ">0<" | wc -l)
if [ ${ad} = yes ]
then
test $zero = 0 || ret=1
else
test $zero = 1 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD
do
case $synthesized in
SynthNXDOMAIN) count=1;;
SynthNODATA) count=4;;
SynthWILDCARD) count=2;;
esac
echo_i "check XML for '$synthesized}' with (synth-from-dnssec ${description};) ($n)"
ret=0
if [ ${synth} = yes ]
then
grep '<counter name="'$synthesized'">'$count'</counter>' $xml > /dev/null || ret=1
else
grep '<counter name="'$synthesized'">'0'</counter>' $xml > /dev/null || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
done
else
echo_i "Skipping XML statistics checks"
fi
if $FEATURETEST --have-json-c && [ -x "${CURL}" ] ; then
echo_i "getting JSON statisistcs for (synth-from-dnssec ${description};) ($n)"
ret=0
json=json.out$n
${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/json/v1/server > $json 2>/dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check JSON for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)"
ret=0
count=$(grep '"CoveringNSEC":' $json | wc -l)
test $count = 2 || ret=1
zero=$(grep '"CoveringNSEC":0' $json | wc -l)
if [ ${synth} = yes ]
then
test $zero = 1 || ret=1
else
test $zero = 2 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check JSON for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)"
ret=0
count=$(grep '"CacheNSECNodes":' $json | wc -l)
test $count = 2 || ret=1
zero=$(grep '"CacheNSECNodes":0' $json | wc -l)
if [ ${ad} = yes ]
then
test $zero = 1 || ret=1
else
test $zero = 2 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD
do
case $synthesized in
SynthNXDOMAIN) count=1;;
SynthNODATA) count=4;;
SynthWILDCARD) count=2;;
esac
echo_i "check JSON for '$synthesized}' with (synth-from-dnssec ${description};) ($n)"
ret=0
if [ ${synth} = yes ]
then
grep '"'$synthesized'":'$count'' $json > /dev/null || ret=1
else
grep '"'$synthesized'":' $json > /dev/null && ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
done
else
echo_i "Skipping JSON statistics checks"
fi
done
echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"
ret=0
synth=${synth_default}
dig_with_opts b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
check_ad_flag yes dig.out.ns3.test$n || ret=1
check_status NXDOMAIN dig.out.ns3.test$n || ret=1
if [ ${synth} = yes ]
then
check_synth_soa . dig.out.ns3.test$n || ret=1
else
check_nosynth_soa . dig.out.ns3.test$n || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
ret=0
dig_with_opts +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
check_ad_flag no dig.out.ns3.test$n || ret=1
check_status NOERROR dig.out.ns3.test$n || ret=1
grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)"
ret=0
dig_with_opts dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1
dig_with_opts a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
check_status NOERROR dig.out.ns5-1.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "regression test for CVE-2022-0635 ($n)"
ret=0
# add DNAME to cache
dig_with_opts dname.dnamed. dname @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
grep "status: NOERROR" dig.out.ns5-1.test$n >/dev/null || ret=1
# add A record to cache at name before DNAME owner
dig_with_opts a.dnamed. a @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
# add NSEC record to cache at name before DNAME owner
dig_with_opts a.dnamed. aaaa @10.53.0.5 > dig.out.ns5-3.test$n || ret=1
grep "status: NOERROR" dig.out.ns5-3.test$n >/dev/null || ret=1
# wait for NSEC to timeout
sleep 6
# use DNAME for lookup
dig_with_opts b.dname.dnamed a @10.53.0.5 > dig.out.ns5-4.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns5-4.test$n >/dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check synth-from-dnssec with grafted zone (forward only) ($n)"
ret=0
#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal'
dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1
grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1
#perform lookup in grafted zone
dig_with_opts example.internal @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
grep '^example\.internal\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check synth-from-dnssec with grafted zone (primary zone) ($n)"
ret=0
#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal'
dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1
grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1
#perform lookup in grafted zone
dig_with_opts example.internal2 @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
grep '^example\.internal2\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
Reference in a new issue View git blame Copy permalink