summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/nsupdate/tests.sh
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xbin/tests/system/nsupdate/tests.sh1552
1 files changed, 1552 insertions, 0 deletions
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
new file mode 100755
index 0000000..2cf23ac
--- /dev/null
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -0,0 +1,1552 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+#
+# Uncomment when creating credential cache files.
+#
+# KRB5_CONFIG="$(pwd)/krb/krb5.conf"
+#
+# Cd krb and run krb/setup.sh to create new keys.
+# Run nsupdate system test.
+# Kill the krb5kdc server started by krb/setup.sh.
+# Check the expiry date on the cached machine.ccache with klist is in 2038.
+# Comment out KRB5_CONFIG.
+# Re-run nsupdate system test to confirm everything still works.
+# git add and commit the resulting ns*/machine.ccache and ns*/dns.keytab files.
+# Clean up krb.
+#
+
+status=0
+n=0
+
+nextpartreset ns3/named.run
+
+# wait for zone transfer to complete
+tries=0
+while true; do
+ if [ $tries -eq 10 ]
+ then
+ exit 1
+ fi
+
+ if grep "example.nil/IN.*Transfer status" ns2/named.run > /dev/null
+ then
+ break
+ else
+ echo_i "zones are not fully loaded, waiting..."
+ tries=$((tries + 1))
+ sleep 1
+ fi
+done
+
+has_positive_response() {
+ zone=$1
+ type=$2
+ ns=$3
+ $DIG $DIGOPTS +tcp +norec $zone $type @$ns > dig.out.post.test$n || return 1
+ grep "status: NOERROR" dig.out.post.test$n > /dev/null || return 1
+ grep "ANSWER: 0," dig.out.post.test$n > /dev/null && return 1
+ return 0
+}
+
+ret=0
+echo_i "fetching first copy of zone before update"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ @10.53.0.1 axfr > dig.out.ns1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "fetching second copy of zone before update"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ @10.53.0.2 axfr > dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "comparing pre-update copies to known good data"
+digcomp knowngood.ns1.before dig.out.ns1 || ret=1
+digcomp knowngood.ns1.before dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone unconfigured.test
+update add unconfigured.test 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' unconfigured.test: not authoritative' ns1/named.run \
+ > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure a subdomain is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone sub.sub.example.nil
+update add sub.sub.sub.example.nil 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' sub.sub.example.nil: not authoritative' ns1/named.run \
+ > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "updating zone"
+# nsupdate will print a ">" prompt to stdout as it gets each input line.
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add updated.example.nil. 600 A 10.10.10.1
+add updated.example.nil. 600 TXT Foo
+delete t.example.nil.
+
+END
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "sleeping 5 seconds for server to incorporate changes"
+sleep 5
+
+ret=0
+echo_i "fetching first copy of zone after update"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ @10.53.0.1 axfr > dig.out.ns1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "fetching second copy of zone after update"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ @10.53.0.2 axfr > dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "comparing post-update copies to known good data"
+digcomp knowngood.ns1.after dig.out.ns1 || ret=1
+digcomp knowngood.ns1.after dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "testing local update policy"
+pre=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1
+[ -z "$pre" ] || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "updating zone"
+# nsupdate will print a ">" prompt to stdout as it gets each input line.
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null <<END || ret=1
+zone other.nil.
+update add new.other.nil. 600 IN A 10.10.10.1
+send
+END
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "sleeping 5 seconds for server to incorporate changes"
+sleep 5
+
+ret=0
+echo_i "checking result of update"
+post=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1
+[ "$post" = "10.10.10.1" ] || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "comparing post-update copy to known good data"
+digcomp knowngood.ns1.after dig.out.ns1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "testing zone consistency checks"
+# inserting an NS record without a corresponding A or AAAA record should fail
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END && ret=1
+update add other.nil. 600 in ns ns3.other.nil.
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1
+# ...but should work if an A record is inserted first:
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
+update add ns4.other.nil 600 in a 10.53.0.1
+send
+update add other.nil. 600 in ns ns4.other.nil.
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+# ...or if an AAAA record does:
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
+update add ns5.other.nil 600 in aaaa 2001:db8::1
+send
+update add other.nil. 600 in ns ns5.other.nil.
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+# ...or if the NS and A/AAAA are inserted together:
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
+update add other.nil. 600 in ns ns6.other.nil.
+update add ns6.other.nil 600 in a 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "sleeping 5 seconds for server to incorporate changes"
+sleep 5
+
+ret=0
+echo_i "checking result of update"
+$DIG $DIGOPTS +short @10.53.0.1 ns other.nil > dig.out.ns1 || ret=1
+grep ns3.other.nil dig.out.ns1 > /dev/null 2>&1 && ret=1
+grep ns4.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
+grep ns5.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
+grep ns6.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure 'check-mx ignore' allows adding MX records containing an address without a warning"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END || ret=1
+server 10.53.0.1 ${PORT}
+update add mx03.example.nil 600 IN MX 10 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure 'check-mx warn' allows adding MX records containing an address with a warning"
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
+update add mx03.other.nil 600 IN MX 10 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure 'check-mx fail' prevents adding MX records containing an address with a warning"
+$NSUPDATE > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+update add mx03.update.nil 600 IN MX 10 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1
+grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "check SIG(0) key is accepted"
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -T KEY -n ENTITY xxx)
+echo "" | $NSUPDATE -k ${key}.private > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check TYPE=0 update is rejected by nsupdate ($n)"
+$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
+ server 10.53.0.1 ${PORT}
+ ttl 300
+ update add example.nil. in type0 ""
+ send
+END
+grep "unknown class/type" nsupdate.out > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check TYPE=0 prerequisite is handled ($n)"
+$NSUPDATE -k ns1/ddns.key <<END > nsupdate.out 2>&1 || ret=1
+ server 10.53.0.1 ${PORT}
+ prereq nxrrset example.nil. type0
+ send
+END
+$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that TYPE=0 update is handled ($n)"
+echo "a0e4280000010000000100000000060001c00c000000fe000000000000" |
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
+$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that TYPE=0 additional data is handled ($n)"
+echo "a0e4280000010000000000010000060001c00c000000fe000000000000" |
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
+$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update to undefined class is handled ($n)"
+echo "a0e4280000010001000000000000060101c00c000000fe000000000000" |
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
+$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that address family mismatch is handled ($n)"
+$NSUPDATE <<END > /dev/null 2>&1 && ret=1
+server ::1
+local 127.0.0.1
+update add 600 txt.example.nil in txt "test"
+send
+END
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+
+n=$((n + 1))
+ret=0
+echo_i "check that unixtime serial number is correctly generated ($n)"
+$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.old.test$n || ret=1
+oldserial=$(awk '{print $3}' dig.out.old.test$n) || ret=1
+start=$($PERL -e 'print time()."\n";')
+$NSUPDATE <<END > /dev/null 2>&1 || ret=1
+ server 10.53.0.1 ${PORT}
+ ttl 600
+ update add new.unixtime.nil in a 1.2.3.4
+ send
+END
+now=$($PERL -e 'print time()."\n";')
+sleep 1
+$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.new.test$n || ret=1
+serial=$(awk '{print $3}' dig.out.new.test$n) || ret=1
+[ "$oldserial" = "$serial" ] && { echo_i "oldserial == serial"; ret=1; }
+if [ "$serial" -lt "$start" ]; then
+ echo_i "out-of-range serial=$serial < start=$start"; ret=1;
+elif [ "$serial" -gt "$now" ]; then
+ echo_i "out-of-range serial=$serial > now=$now"; ret=1;
+fi
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+ n=$((n + 1))
+ ret=0
+ echo_i "running update.pl test ($n)"
+ $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. > perl.update_test.out || ret=1
+ [ $ret -eq 1 ] && { echo_i "failed"; status=1; }
+
+ if $PERL -e 'use Net::DNS; die "Net::DNS too old ($Net::DNS::VERSION < 1.01)" if ($Net::DNS::VERSION < 1.01)' > /dev/null
+ then
+ n=$((n + 1))
+ ret=0
+ echo_i "check for too many NSEC3 iterations log ($n)"
+ grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run > /dev/null || ret=1
+ [ $ret -eq 1 ] && { echo_i "failed"; status=1; }
+ fi
+else
+ echo_i "The second part of this test requires the Net::DNS library." >&2
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "fetching first copy of test zone ($n)"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ @10.53.0.1 axfr > dig.out.ns1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "fetching second copy of test zone ($n)"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ @10.53.0.2 axfr > dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "comparing zones ($n)"
+digcomp dig.out.ns1 dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "SIGKILL and restart server ns1"
+cd ns1
+$KILL -KILL $(cat named.pid)
+rm named.pid
+cd ..
+sleep 10
+if
+ start_server --noclean --restart --port ${PORT} ns1
+then
+ echo_i "restarted server ns1"
+else
+ echo_i "could not restart server ns1"
+ exit 1
+fi
+sleep 10
+
+n=$((n + 1))
+ret=0
+echo_i "fetching ns1 after hard restart ($n)"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+ @10.53.0.1 axfr > dig.out.ns1.after || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "comparing zones ($n)"
+digcomp dig.out.ns1 dig.out.ns1.after || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "begin RT #482 regression test"
+
+n=$((n + 1))
+ret=0
+echo_i "update primary ($n)"
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add updated2.example.nil. 600 A 10.10.10.2
+update add updated2.example.nil. 600 TXT Bar
+update delete c.example.nil.
+send
+END
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+sleep 5
+
+if [ ! "$CYGWIN" ]; then
+ echo_i "SIGHUP secondary"
+ $KILL -HUP $(cat ns2/named.pid)
+else
+ echo_i "reload secondary"
+ rndc_reload ns2 10.53.0.2
+fi
+
+sleep 5
+
+n=$((n + 1))
+ret=0
+echo_i "update primary again ($n)"
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add updated3.example.nil. 600 A 10.10.10.3
+update add updated3.example.nil. 600 TXT Zap
+del d.example.nil.
+send
+END
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+sleep 5
+
+if [ ! "$CYGWIN" ]; then
+ echo_i "SIGHUP secondary again"
+ $KILL -HUP $(cat ns2/named.pid)
+else
+ echo_i "reload secondary again"
+ rndc_reload ns2 10.53.0.2
+fi
+
+sleep 5
+
+n=$((n + 1))
+echo_i "check to 'out of sync' message ($n)"
+if grep "out of sync" ns2/named.run
+then
+ echo_i "failed (found 'out of sync')"
+ status=1
+fi
+
+echo_i "end RT #482 regression test"
+
+n=$((n + 1))
+ret=0
+echo_i "start NSEC3PARAM changes via UPDATE on a unsigned zone test ($n)"
+$NSUPDATE << EOF
+server 10.53.0.3 ${PORT}
+update add example 3600 nsec3param 1 0 0 -
+send
+EOF
+
+# the zone is not signed. The nsec3param records should be removed.
+# this also proves that the server is still running.
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
+ @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "change the NSEC3PARAM ttl via update ($n)"
+$NSUPDATE << EOF
+server 10.53.0.3 ${PORT}
+update add nsec3param.test 3600 NSEC3PARAM 1 0 1 -
+send
+EOF
+
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
+ @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
+grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "add a new NSEC3PARAM via update ($n)"
+$NSUPDATE << EOF
+server 10.53.0.3 ${PORT}
+update add nsec3param.test 3600 NSEC3PARAM 1 0 4 -
+send
+EOF
+
+_ret=1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+ $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
+ if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
+ _ret=0
+ break
+ fi
+ sleep 1
+done
+
+if [ $_ret -ne 0 ]; then ret=1; fi
+grep "NSEC3PARAM 1 0 4 -" dig.out.ns3.$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=$((ret + status)); fi
+
+n=$((n + 1))
+ret=0
+echo_i "add, delete and change the ttl of the NSEC3PARAM rrset via update ($n)"
+$NSUPDATE << EOF
+server 10.53.0.3 ${PORT}
+update delete nsec3param.test NSEC3PARAM
+update add nsec3param.test 7200 NSEC3PARAM 1 0 5 -
+send
+EOF
+
+_ret=1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+ $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
+ if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
+ _ret=0
+ break
+ fi
+ sleep 1
+done
+
+if [ $_ret -ne 0 ]; then ret=1; fi
+grep "7200.*NSEC3PARAM 1 0 5 -" dig.out.ns3.$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
+$JOURNALPRINT ns3/nsec3param.test.db.signed.jnl > jp.out.ns3.$n
+# intermediate TTL changes.
+grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 4 -" jp.out.ns3.$n > /dev/null || ret=1
+grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 1 -" jp.out.ns3.$n > /dev/null || ret=1
+# delayed adds and deletes.
+grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000180000500" jp.out.ns3.$n > /dev/null || ret=1
+grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000100" jp.out.ns3.$n > /dev/null || ret=1
+grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000400" jp.out.ns3.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=$((ret + status)); fi
+
+
+ret=0
+echo_i "testing that rndc stop updates the file"
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add updated4.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 3
+stop_server --use-rndc --port ${CONTROLPORT} ns1
+sleep 3
+# Removing the journal file and restarting the server means
+# that the data served by the new server process are exactly
+# those dumped to the file by "rndc stop".
+rm -f ns1/*jnl
+start_server --noclean --restart --port ${PORT} ns1
+for try in 0 1 2 3 4 5 6 7 8 9; do
+ iret=0
+ $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+ updated4.example.nil. @10.53.0.1 a > dig.out.ns1 || iret=1
+ digcomp knowngood.ns1.afterstop dig.out.ns1 || iret=1
+ [ "$iret" -eq 0 ] && break
+ sleep 1
+done
+[ "$iret" -ne 0 ] && ret=1
+[ "$ret" -eq 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "check that 'nsupdate -l' with a missing keyfile reports the missing file"
+$NSUPDATE -4 -p ${PORT} -l -k ns1/nonexistent.key 2> nsupdate.out < /dev/null
+grep ns1/nonexistent.key nsupdate.out > /dev/null || ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy local' works from localhost address ($n)"
+$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END || ret=1
+server 10.53.0.5 ${PORT}
+local 127.0.0.1
+update add fromlocal.local.nil. 600 A 1.2.3.4
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1
+$DIG $DIGOPTS @10.53.0.5 \
+ +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+ fromlocal.local.nil. > dig.out.ns5.$n || ret=1
+grep fromlocal dig.out.ns5.$n > /dev/null 2>&1 || ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy local' fails from non-localhost address ($n)"
+grep 'match on session key not from localhost' ns5/named.run > /dev/null && ret=1
+$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1
+server 10.53.0.5 ${PORT}
+local 10.53.0.1
+update add nonlocal.local.nil. 600 A 4.3.2.1
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
+grep 'match on session key not from localhost' ns5/named.run > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.5 \
+ +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+ nonlocal.local.nil. > dig.out.ns5.$n || ret=1
+grep nonlocal dig.out.ns5.$n > /dev/null 2>&1 && ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy tcp-self' refuses update of records via UDP ($n)"
+$NSUPDATE > nsupdate.out.$n 2>&1 << END
+server 10.53.0.6 ${PORT}
+local 127.0.0.1
+update add 1.0.0.127.in-addr.arpa. 600 PTR localhost.
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @10.53.0.6 \
+ +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+ -x 127.0.0.1 > dig.out.ns6.$n
+grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy tcp-self' permits update of records for the client's own address via TCP ($n)"
+$NSUPDATE -v > nsupdate.out.$n 2>&1 << END || ret=1
+server 10.53.0.6 ${PORT}
+local 127.0.0.1
+update add 1.0.0.127.in-addr.arpa. 600 PTR localhost.
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1
+$DIG $DIGOPTS @10.53.0.6 \
+ +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+ -x 127.0.0.1 > dig.out.ns6.$n || ret=1
+grep localhost. dig.out.ns6.$n > /dev/null 2>&1 || ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy tcp-self' refuses update of records for a different address from the client's own address via TCP ($n)"
+$NSUPDATE -v > nsupdate.out.$n 2>&1 << END
+server 10.53.0.6 ${PORT}
+local 127.0.0.1
+update add 1.0.168.192.in-addr.arpa. 600 PTR localhost.
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @10.53.0.6 \
+ +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+ -x 192.168.0.1 > dig.out.ns6.$n
+grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
+# and thus this UPDATE should succeed.
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add restricted.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
+# thus this UPDATE should fail.
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
+# grant zonesub-key.example.nil zonesub TXT;
+# the A record update should be rejected as it is not in the type list
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN A 1.2.3.4
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
+# the TXT record update should be accepted as it is in the type list
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check 'grant' in deny name + grant subdomain ($n)"
+$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+key hmac-sha256:subkey 1234abcd8765
+server 10.53.0.9 ${PORT}
+zone denyname.example
+update add foo.denyname.example 3600 IN TXT added
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT > dig.out.ns9.test$n
+grep "added" dig.out.ns9.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check 'deny' in deny name + grant subdomain ($n)"
+$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+key hmac-sha256:subkey 1234abcd8765
+server 10.53.0.9 ${PORT}
+zone denyname.example
+update add denyname.example 3600 IN TXT added
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT > dig.out.ns9.test$n
+grep "added" dig.out.ns9.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
+ @10.53.0.3 dnskey | \
+ awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; }
+ $2 == 10 && $3 == "IN" && $4 == "DNSKEY" { $2 = 600; print "update add", $0 }
+ END { print "send" }' > update.in.$n
+$NSUPDATE update.in.$n
+
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
+ @10.53.0.3 any > dig.out.ns3.$n
+
+grep "600.*DNSKEY" dig.out.ns3.$n > /dev/null || ret=1
+grep TYPE65534 dig.out.ns3.$n > /dev/null && ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check notify with TSIG worked ($n)"
+# if the alternate view received a notify--meaning, the notify was
+# validly signed by "altkey"--then the zonefile update.alt.bk will
+# will have been created.
+[ -f ns2/update.alt.bk ] || ret=1
+if [ $ret -ne 0 ]; then
+ echo_i "failed"
+ status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check type list options ($n)"
+$NSUPDATE -T > typelist.out.T.${n} || { ret=1; echo_i "nsupdate -T failed"; }
+$NSUPDATE -P > typelist.out.P.${n} || { ret=1; echo_i "nsupdate -P failed"; }
+$NSUPDATE -TP > typelist.out.TP.${n} || { ret=1; echo_i "nsupdate -TP failed"; }
+grep ANY typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-T)"; }
+grep ANY typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-P)"; }
+grep ANY typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-TP)"; }
+grep KEYDATA typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-T)"; }
+grep KEYDATA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-P)"; }
+grep KEYDATA typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-TP)"; }
+grep AAAA typelist.out.T.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-T)"; }
+grep AAAA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: AAAA found (-P)"; }
+grep AAAA typelist.out.TP.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-TP)"; }
+if [ $ret -ne 0 ]; then
+ echo_i "failed"
+ status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check command list ($n)"
+(
+while read cmd
+do
+ echo "$cmd" | $NSUPDATE > /dev/null 2>&1
+ if test $? -gt 1 ; then
+ echo_i "failed ($cmd)"
+ ret=1
+ fi
+ echo "$cmd " | $NSUPDATE > /dev/null 2>&1
+ if test $? -gt 1 ; then
+ echo_i "failed ($cmd)"
+ ret=1
+ fi
+done
+exit $ret
+) < commandlist || ret=1
+if [ $ret -ne 0 ]; then
+ status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
+if $FEATURETEST --md5
+then
+ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
+else
+ ALGS="sha1 sha224 sha256 sha384 sha512"
+ echo_i "skipping disabled md5 algorithm"
+fi
+for alg in $ALGS; do
+ $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add ${alg}.keytests.nil. 600 A 10.10.10.3
+send
+END
+done
+sleep 2
+for alg in $ALGS; do
+ $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
+done
+if [ $ret -ne 0 ]; then
+ echo_i "failed"
+ status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
+for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+ secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
+ $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add ${alg}.keytests.nil. 600 A 10.10.10.50
+send
+END
+done
+sleep 2
+for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+ $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
+done
+if [ $ret -ne 0 ]; then
+ echo_i "failed"
+ status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that ttl is capped by max-ttl ($n)"
+$NSUPDATE <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add cap.max-ttl.nil. 600 A 10.10.10.3
+update add nocap.max-ttl.nil. 150 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS @10.53.0.1 cap.max-ttl.nil | grep "^cap.max-ttl.nil. 300" > /dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @10.53.0.1 nocap.max-ttl.nil | grep "^nocap.max-ttl.nil. 150" > /dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then
+ echo_i "failed"
+ status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "add a record which is truncated when logged. ($n)"
+$NSUPDATE verylarge || ret=1
+$DIG $DIGOPTS +tcp @10.53.0.1 txt txt.update.nil > dig.out.ns1.test$n
+grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1
+grep "adding an RR at 'txt.update.nil' TXT .* \[TRUNCATED\]" ns1/named.run > /dev/null || ret=1
+if [ $ret -ne 0 ]; then
+ echo_i "failed"
+ status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that yyyymmddvv serial number is correctly generated ($n)"
+oldserial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1
+$NSUPDATE <<END > /dev/null 2>&1 || ret=1
+ server 10.53.0.1 ${PORT}
+ ttl 600
+ update add new.yyyymmddvv.nil in a 1.2.3.4
+ send
+END
+now=$($PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];')
+sleep 1
+serial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1
+[ "$oldserial" -ne "$serial" ] || ret=1
+[ "$serial" -eq "$now" ] || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+#
+# Refactor to use perl to launch the parallel updates.
+#
+if false
+then
+n=$((n + 1))
+echo_i "send many simultaneous updates via a update forwarder ($n)"
+ret=0
+for i in 0 1 2 3 4 5 6 7
+do
+(
+ for j in 0 1 2 3 4 5 6 7
+ do
+ (
+ $NSUPDATE << EOF
+server 10.53.0.3 ${PORT}
+zone many.test
+update add $i-$j.many.test 0 IN A 1.2.3.4
+send
+EOF
+ ) &
+ done
+ wait
+) &
+done
+wait
+dig axfr many.test @10.53.0.1 > dig.out.test$n
+lines=$(awk '$4 == "A" { l++ } END { print l }' dig.out.test$n)
+test ${lines:-0} -eq 64 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+fi
+
+n=$((n + 1))
+echo_i "check max-journal-size limits ($n)"
+ret=0
+rm -f nsupdate.out1-$n
+# add one record
+$NSUPDATE << EOF >> nsupdate.out1-$n 2>&1
+server 10.53.0.1 ${PORT}
+zone maxjournal.test
+update add z.maxjournal.test 300 IN A 10.20.30.40
+send
+EOF
+for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
+ # repeatedly add and remove the same set of records to fill up
+ # the journal file without changing the zone content
+ $NSUPDATE << EOF >> nsupdate.out1-$n 2>&1
+server 10.53.0.1 ${PORT}
+zone maxjournal.test
+update add a.maxjournal.test 300 IN A 1.2.3.4
+update add b.maxjournal.test 300 IN A 1.2.3.4
+update add c.maxjournal.test 300 IN A 1.2.3.4
+update add d.maxjournal.test 300 IN A 1.2.3.4
+send
+update del a.maxjournal.test
+update del b.maxjournal.test
+update del c.maxjournal.test
+update del d.maxjournal.test
+send
+EOF
+done
+# check that the journal is big enough to require truncation.
+size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl)
+[ "$size" -gt 6000 ] || ret=1
+sleep 1
+$RNDCCMD 10.53.0.1 sync maxjournal.test
+check_size_lt_5000() (
+ size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl)
+ [ "$size" -lt 5000 ]
+)
+retry_quiet 20 check_size_lt_5000 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+echo_i "check check-names processing ($n)"
+ret=0
+$NSUPDATE << EOF > nsupdate.out1-$n 2>&1
+update add # 0 in a 1.2.3.4
+EOF
+grep "bad owner" nsupdate.out1-$n > /dev/null || ret=1
+
+$NSUPDATE << EOF > nsupdate.out2-$n 2>&1
+check-names off
+update add # 0 in a 1.2.3.4
+EOF
+grep "bad owner" nsupdate.out2-$n > /dev/null && ret=1
+
+$NSUPDATE << EOF > nsupdate.out3-$n 2>&1
+update add . 0 in mx 0 #
+EOF
+grep "bad name" nsupdate.out3-$n > /dev/null || ret=1
+
+$NSUPDATE << EOF > nsupdate.out4-$n 2>&1
+check-names off
+update add . 0 in mx 0 #
+EOF
+grep "bad name" nsupdate.out4-$n > /dev/null && ret=1
+
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+echo_i "check adding of delegating NS records processing ($n)"
+ret=0
+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone delegation.test.
+update add child.delegation.test. 3600 NS foo.example.net.
+update add child.delegation.test. 3600 NS bar.example.net.
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+echo_i "check deleting of delegating NS records processing ($n)"
+ret=0
+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone delegation.test.
+update del child.delegation.test. 3600 NS foo.example.net.
+update del child.delegation.test. 3600 NS bar.example.net.
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+echo_i "check that adding too many records is blocked ($n)"
+ret=0
+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone too-big.test.
+update add r1.too-big.test 3600 IN TXT r1.too-big.test
+send
+EOF
+grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1
+$DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT > dig.out.ns3.test$n
+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check whether valid addresses are used for primary failover ($n)"
+$NSUPDATE -t 1 <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.4 ${PORT}
+zone unreachable.
+update add unreachable. 600 A 192.0.2.1
+send
+END
+grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+grep "not implemented" nsupdate.out-$n > /dev/null 2>&1 && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure bad owner name is fatal in non-interactive mode ($n)"
+$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
+ update add emptylabel..nil. 600 A 10.10.10.1
+END
+grep "invalid owner name: empty label" nsupdate.out > /dev/null || ret=1
+grep "syntax error" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure bad owner name is not fatal in interactive mode ($n)"
+$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1
+ update add emptylabel..nil. 600 A 10.10.10.1
+END
+grep "invalid owner name: empty label" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure invalid key type is fatal in non-interactive mode ($n)"
+$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
+ key badkeytype:example abcd12345678
+END
+grep "unknown key type 'badkeytype'" nsupdate.out > /dev/null || ret=1
+grep "syntax error" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure invalid key type is not fatal in interactive mode ($n)"
+$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1
+ key badkeytype:example abcd12345678
+END
+grep "unknown key type 'badkeytype'" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure unresolvable server name is fatal in non-interactive mode ($n)"
+$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
+ server unresolvable..
+END
+grep "couldn't get address for 'unresolvable..':" nsupdate.out > /dev/null || ret=1
+grep "syntax error" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure unresolvable server name is not fatal in interactive mode ($n)"
+$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1
+ server unresolvable..
+END
+grep "couldn't get address for 'unresolvable..':" nsupdate.out > /dev/null || ret=1
+grep "syntax error" nsupdate.out > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check nsupdate -4 -6 ($n)"
+$NSUPDATE -4 -6 <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone delegation.test.
+update del child.delegation.test. 3600 NS foo.example.net.
+update del child.delegation.test. 3600 NS bar.example.net.
+send
+END
+grep "only one of -4 and -6 allowed" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check nsupdate -4 with an IPv6 server address ($n)"
+$NSUPDATE -4 <<END > nsupdate.out-$n 2>&1 && ret=1
+server fd92:7065:b8e:ffff::2 ${PORT}
+zone delegation.test.
+update del child.delegation.test. 3600 NS foo.example.net.
+update del child.delegation.test. 3600 NS bar.example.net.
+send
+END
+grep "address family not supported" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that TKEY in a update is rejected ($n)"
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+update add tkey.example 0 in tkey invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw==
+send
+END
+grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that DS to the zone apex is ignored ($n)"
+$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+nextpart ns3/named.run > /dev/null
+# specify zone to override the default of adding to parent zone
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone example
+update add example 0 in DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
+send
+END
+msg=": attempt to add a DS record at zone apex ignored"
+nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1
+$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.post.test$n || ret=1
+grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
+send
+END
+msg=": bad CDS RRset"
+nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1
+$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.post.test$n || ret=1
+grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that CDNSKEY with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+nextpart ns3/named.run > /dev/null
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
+send
+END
+msg=": bad CDNSKEY RRset"
+nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1
+$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1
+grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
+send
+END
+retry_quiet 5 has_positive_response multisigner.test CDS 10.53.0.3 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
+send
+END
+retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone example
+update add example 0 in NSEC3PARAM 1 0 151 -
+END
+grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if query is not allowed ($n)"
+{
+ $NSUPDATE -d <<END
+ local 10.53.0.2
+ server 10.53.0.1 ${PORT}
+ update add reject.other.nil 3600 IN TXT Whatever
+ send
+END
+} > nsupdate.out.test$n 2>&1
+grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+# This check is unstable on Windows.
+if [ ! "$CYGWIN" ]; then
+ n=$((n + 1))
+ ret=0
+ echo_i "check that update is rejected if quota is exceeded ($n)"
+ for loop in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
+ {
+ $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
+ update add txt-$loop.other.nil 3600 IN TXT Whatever
+ send
+END
+ } &
+ done
+ wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+fi
+
+if ! $FEATURETEST --gssapi ; then
+ echo_i "SKIPPED: GSSAPI tests"
+else
+ n=$((n + 1))
+ ret=0
+ echo_i "check krb5-self match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.7 ${PORT}
+ zone example.com
+ update add machine.example.com 3600 IN A 10.53.0.7
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A > dig.out.ns7.test$n
+ grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
+ grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n + 1))
+ ret=0
+ echo_i "check krb5-self no-match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.7 ${PORT}
+ zone example.com
+ update add foo.example.com 3600 IN A 10.53.0.7
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n
+ grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n + 1))
+ ret=0
+ echo_i "check krb5-subdomain match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.7 ${PORT}
+ zone example.com
+ update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV > dig.out.ns7.test$n
+ grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
+ grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n + 1))
+ ret=0
+ echo_i "check krb5-subdomain no-match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.7 ${PORT}
+ zone example.com
+ update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n
+ grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n+1))
+ ret=0
+ echo_i "check krb5-selfsub match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.8 ${PORT}
+ zone example.com
+ update add xxx.machine.example.com 3600 IN A 10.53.0.8
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A > dig.out.ns8.test$n
+ grep "status: NOERROR" dig.out.ns8.test$n > /dev/null || ret=1
+ grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n + 1))
+ ret=0
+ echo_i "check krb5-selfsub no-match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.8 ${PORT}
+ zone example.com
+ update add foo.example.com 3600 IN A 10.53.0.8
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n
+ grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n + 1))
+ ret=0
+
+ echo_i "check ms-self match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.9 ${PORT}
+ zone example.com
+ update add machine.example.com 3600 IN A 10.53.0.9
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A > dig.out.ns9.test$n
+ grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1
+ grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n + 1))
+ ret=0
+ echo_i "check ms-self no-match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.9 ${PORT}
+ zone example.com
+ update add foo.example.com 3600 IN A 10.53.0.9
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n
+ grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n + 1))
+ ret=0
+ echo_i "check ms-subdomain match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.9 ${PORT}
+ zone example.com
+ update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV > dig.out.ns9.test$n
+ grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1
+ grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n + 1))
+ ret=0
+ echo_i "check ms-subdomain no-match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.9 ${PORT}
+ zone example.com
+ update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n
+ grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n+1))
+ ret=0
+ echo_i "check ms-selfsub match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.10 ${PORT}
+ zone example.com
+ update add xxx.machine.example.com 3600 IN A 10.53.0.10
+ send
+EOF
+ $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A > dig.out.ns10.test$n
+ grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
+ grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ n=$((n + 1))
+ ret=0
+ echo_i "check ms-selfsub no-match ($n)"
+ KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
+ export KRB5CCNAME
+ $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+ gsstsig
+ realm EXAMPLE.COM
+ server 10.53.0.10 ${PORT}
+ zone example.com
+ update add foo.example.com 3600 IN A 10.53.0.10
+ send
+EOF
+ grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+ $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n
+ grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1